Debunking email hoaxes and exposing Internet scams since 2003!

Hoax-Slayer Logo Hoax-Slayer Logo

Home    About    New Articles    RSS Feed    Subscriptions    Contact
Bookmark and Share

Issue 20 - Hoax-Slayer Newsletter

Issue 20: April 23th, 2004

This week in Hoax-Slayer:
The Great Lottery Scam

Over the last few weeks I've noticed a significant increase in the amount of lottery scam emails that have been going around. A number of site visitors have submitted examples that they have received. Several have also provided copies of further correspondence they have had with the scammers, and this has been quite enlightening.

Basically, these scams work like this:

You receive an unsolicited email, which states that you have won a major prize in an international lottery. Supposedly, your email address was collected online and attached to a random number that was subsequently entered in a draw for the lottery. In order to claim your prize, you are instructed to contact the official "agent" in charge of your case. You are also advised to keep the win confidential for "security reasons". This part of the scam is basically a random phishing expedition. If you respond in any way to the email, the scammers will send further messages or even contact you by phone in an attempt to draw you deeper into the scam.

You may be asked to provide banking details, ostensibly to facilitate the transfer of your winnings. Sooner or later, the scammers will request some sort of advance fee supposedly to cover administration, legal or delivery costs. This request for money is the main purpose of the scam. At its core, this scam is just a reworking of the Nigerian loan fraud, in which scammers also eventually ask for upfront fees to facilitate the "deal". Like Nigerian scams, victims who do actually pay the requested fees will probably find that they receive continuing payment demands to cover "unexpected expenses". The requests for money will go on until the victim realizes what is happening or has no further money to send.

The details of the lottery scams vary regularly with regard to the name of the lottery itself, the country of origin, the sponsoring organization, the amount of the "prize" and other particulars. The scammers try to add a patina of legitimacy to their claims by mentioning real financial institutions, government departments or well-known companies. They may also provide links to slick looking, but fraudulent websites that are designed to back up information included in the scam emails. If the scammers are successful in establishing a dialogue with a potential victim, they may provide "proof" such as a scanned image of a supposed government official's ID and even photographs of the "winnings" in cash.

If you receive one of these scam emails, it is important that you do not respond to it in any way. The scammers are likely to act upon any response from those they see as potential victims. Although it can be educational and even entertaining to "bait" these scammers, such endeavours should only be attempted under controlled conditions. The people who run these scams are criminals and could even resort to violence and intimidation to meet their aims.

I am currently gathering together a collection of examples and other information about these lottery scams to be placed on the Hoax-Slayer website. If you have been sent one of these scam emails, I'd be glad to receive a copy.

A typical example of a lottery scam is reproduced below:

We happily announce to you the draw of the UK-LOTTO Sweepstake Lottery International programs held on the 27th of March, 2004 in Johannesburg, South Africa. Your e-mail address attached to ticket number: 564 75600545188 with Serial number 5368/02 drew the lucky numbers: 19-6-26-17-35-7, which subsequently won you the lottery in the 2nd category.

You have therefore been approved to claim a total sum of US$2,500,000.00 (Two million, Five Hundred Thousand United States Dollars)in cash credited to file ktu/9023118308/03.This is from a total cash prize of U.S $ 2.5 Million dollars, shared amongst the first nine (9) luckywinners in this category.

All participants were selected randomly from World Wide Web site through computer draw system and extracted from over 100,000 companies. This promotion takes place annually. Please note that your lucky winning number falls within our European booklet representative office in Europe as indicated in your play coupon. In view of this, your U.S$2,500,000.00 (Two million, Five Hundred Thousand United States Dollars) would be released to you by our payment office in Europe.

Our European agent will immediately commence the process to facilitate the release of your funds as soon as you contact him. For security reasons, you are advised to keep your winning information confidential till your claims is processed and your money remitted to you in whatever manner you deem fit to claim your prize.

This is part of our precautionary measure to avoid double claiming and unwarranted abuse of this program by some unscrupulous elements. Please be warned.

To file for your claim, please contact our fiduciary agent: Mr Richard Diwar

To avoid unnecessary delays and complications, please quote your reference/batch numbers in any correspondence with us or our d esignated agent.

Congratulations once more from all members and staffs of this program. Thank you for being part of our promotional lottery program.

UK-LOTTO Co-ordinator.


Another ShadowCrew Prank

It appears that the Shadow Crew website is yet again the target of pranksters. The latest prank email claims to be a transaction confirmation message for three months access to child pornography. Another child porn email supposedly from Shadowcrew was circulating earlier in the year. These emails are quite similar to a prank email that targeted

At face value the email might seem to be a crude phisher scam in that it requests recipients to send credit card information. Some phisher scammers send emails that detail a fictitious credit card charge and provide a link where recipients can supposedly cancel the transaction. The link leads to a bogus website that requests personal information from the user. However, in this case, a simple email address is provided rather than a link, and different email addresses are used in different instances of the prank email. The email addresses point to customer service webpages belonging to AT&T and I can see no obvious connection to the ShadowCrew website.

While it would certainly be very unwise to send sensitive financial information via email, history suggests that this particular email is more likely to be a hoax than a serious phisher scam. Another prank email was directed at the ShadowCrew site earlier in the year. This email also looked like a phisher scam but was in fact a prank designed to discredit

An example of one of the current prank emails: team thanks you for choosing our company best 5 - 7 years old babies, the most uncensored pictures and movies will beautify your collection,

Your access is valid for 3 months.

If you confirm this transaction, please reply to this message and yourmember access will be automatically activated.

If you feel that transaction was made by mistake, please send a message to including your credit card information, so we can be sure that the message is from you in real. Thank you again, Team.

An example of an earlier prank:
From: "Shadow Crew"
Subject: Your card has been billed for $149.95
Your credit card will be billed at $22.95 weekly and free 3 pack of child porn CD is shipping to your billing address.

To cancel your membership and CD pack please email full credit card details to

Ready to enjoy all types of underage porn? We have the best selection for every taste! Click the secret link below and have fun...


UPS Uniform Hoax

This hoax is currently enjoying a new lease on life. The hoax began circulating in early 2003 and has spawned a number of variations, all equally untrue.

Some versions, including the example below, add a signature that supposedly belongs to Kimberly Bush-Carr of the U.S. Department of Homeland Security. However, these emails did not originate from a government department. The inclusion of an official looking signature is simply a ruse to add credence to the message's spurious claims.

There are several slightly different versions of the UPS Uniform hoax, all referring to large purchases of United Parcel Service uniforms on eBay. However, there have been no reports of large eBay purchases of UPS uniforms, nor have large quantities of uniforms been reported stolen. According to a Washington Post article both eBay and UPS deny the rumour. Investigations by the FBI have debunked the stories of stolen uniforms as nothing more than urban legends. The article also notes that eBay "has barred sales listings of UPS or any other contemporary delivery service uniforms, including airline uniforms".

In a world increasingly concerned with the threat of terrorism, it is not surprising that false alerts like this one are taken seriously and spread so widely.

Subject: UPS Uniforms

Government Warning regarding purchase of UPS uniforms: There has been a huge purchase, $32,000 worth, of United Parcel Service(UPS) uniforms on eBay over the last 30 days. This could represent a serious threat as bogus drivers (terrorists) can drop off anything toanyone

with deadly consequences! If you have ANY questions when a UPS driver appears at your door, they should be able to furnish VALID I.D Additionally, if someone in a UPS uniform comes to make a drop off or pick up, make absolutely sure they are driving a UPS truck. UPS doesn't make deliveries or pickups in anything, except a company vehicle If you have a problem, IMMEDIATELY call your local law enforcement agency right away!

TAKE THIS SERIOUSLY! Tell everyone in your office, your family, your friends, etc. Make people aware so that we can prepare and/or avoid terrorist attacks on our people! Thank you for your time in reviewing this and PLEASE send to EVERYONE on your list, even if they are friend or foe.

We should all be aware!

Kimberly Bush-Carr
Management Program Specialist
U.S. Department of Homeland Security
Bureau Customs and Border Protection
Washington, DC 20229


Hotmail Hoax still Going Strong

Variations of this email have been circulating since 1999 but it is still a common visitor to in-boxes across the world. The information in these messages is completely untrue. Like a lot of hoax emails, this one banks on the fact that many people will hit the "forward" button without analysing the information very deeply. Even if Hotmail was "running out of resources", it would be highly improbable for them to attempt to remedy the problem by asking customers to forward an email. Why would Hotmail employ such a vague, hit and miss method of checking on the status of account holders? If Hotmail really wanted to find out if users still had an active account they would be more likely to send an email that asked for a *reply* within a given time frame rather than request that the message be forwarded. Besides, I'm sure that Hotmail has sophisticated and precise methods of checking the activity levels of a given account that do not require the account holder to reply to *or* forward a specific message.

Although the example below is aimed at Hotmail, variations on the hoax have also targeted Yahoo and AIM instant messaging customers.

Regardless of the version, the best place for these messages is the "Deleted Items" folder.


Dear Hotmail User,

Because of the sudden rush of people signing up to Hotmail, it has come to our attention that we are vastly running out of resources. So, within a month's time, anyone who does not receive this email with the exact subject heading, will be deleted off our server. Please forward this email so that we know you are still using this account.


We want to find out which users are actually using their Hotmail accounts. So if you are using your account, please pass this e-mail to every Hotmail user that you can and if you do not pass this letter to anyone we will delete your account.

A Yahoo Example:
DO NOT DELETE!!!! This is Yahoo President Jay Russell, I am sorry to announce that Yahoo has reached its maximum number of accounts two million. If you would like to keep your account for free send this to everyone on your list. This way we can know which accounts are being used and which accounts we can delete. Send this within 8 days and your account will remain free. Once again I am sincerely sorry that I have to do this. Please start sending. Jay Russell, Yahoo Management


Virus Report: Weekly Virus Wrap-Up

The list below represents some of the most significant new virus threats identified by Symantec Security Response over the last few days.

W32.Netsky.X@mm is yet another Netsky variant and has been afforded a category of 3 out of 5 by Symantec Security Response. The worm searches the infected computer for email addresses and sends itself to them using its own SMTP engine. The subject and attachment names vary, as does the message itself. From lines of the emails are spoofed.

W32.Netsky.Y@mm is a variant of the worm discussed above and has similar characteristics. The subject line of the email will be:
Delivery failure notice (ID-(random number))

There is a new variant of the Blaster worm that can attack unpatched Windows 2000 and XP systems. Ensure that your system is updated as soon as possible.


Feedback from Site Visitors

Each week a growing number of site visitors have been good enough to submit examples of hoax or scam emails they have received. If you receive a hoax or scam email, I would appreciate it if you would send me a copy.

A reader submitted a copy of the email forward below which she reports has been circulating around various email discussion groups. This sounds very much like a hoax to me. There is nothing on any of the major anti-virus sites about a worm that comes with Incredimail. If it were true, I think it would have been well documented on various AV sites. Also, the message doesn't name the alleged worm, nor does it back up the claim with any checkable reference.

I have contacted Incredimail for a comment on this issue, but they have not as yet replied. If you have received one of these emails, or have some further information to add about them, please let me know.

Subject: Fw: WARNING -- ----- Incredimail user !!! EVERYONE BE CAREFUL

The last version Of Incredimail Mx has a Worm in it That Dosen't Show Upon Virus Scan Till Installed and Setup

Please Warn Others, As IF They Don't Watch It The Virus Can Kill Their Anti-Viruses Ability To Function And Remain On Their Hard Drive Causing A Complete Format To Remove It.

A lot of submissions this week involve lottery scams, the UPS uniform hoax, and the Hotmail hoax. These are discussed in detail above.

A number of submissions and page views were once again for that classic among virus hoaxes, the Teddy Bear Virus Hoax.

The article about Camel Spiders in Iraq also proved to be a popular page with site visitors.


Tip of the Week: Managing Downloads

For a while now I've been using a system of managing downloads that I feel is quite effective, especially if you download a lot of software.

First of all, I have a parent folder on my C drive that I call "AAADownloads" so that it stays at the top in Windows Explorer for easy access.

Every time I download a program, I create a new sub-folder within this parent folder that has the same name as the software I'm downloading.

Normally I store all the files and folders associated with the software in this sub-folder. I also create a plain text software log for each download that records the following information.

**Download Date:
**Install Date:
**Installation Report:

To save time, I have a template file set up so I can just fill in the blanks and save the resulting file to the new program's sub-folder.

I find that it can be really useful to have all the information and files you need for a program in an easily accessible and well-organized location.


The Hoax_Slayer Newsletter is published by:
Brett M.Christensen
Queensland, Australia
All Rights Reserved
©Brett M. Christensen, 2009
Questions or Comments