Issue 20 - Hoax-Slayer Newsletter
Issue 20: April 23th, 2004
This week in Hoax-Slayer:
The Great Lottery Scam
Over the last few weeks I've noticed a significant increase in the
amount of lottery scam emails that have been going around. A
number of site visitors have submitted examples that they have
received. Several have also provided copies of further
correspondence they have had with the scammers, and this has been
Basically, these scams work like this:
You receive an unsolicited email, which states that you have won a
major prize in an international lottery. Supposedly, your email
address was collected online and attached to a random number that
was subsequently entered in a draw for the lottery. In order to
claim your prize, you are instructed to contact the official
"agent" in charge of your case. You are also advised to keep the
win confidential for "security reasons". This part of the scam is
basically a random phishing expedition. If you respond in any
way to the email, the scammers will send further messages or even
contact you by phone in an attempt to draw you deeper into the
You may be asked to provide banking details, ostensibly to
facilitate the transfer of your winnings. Sooner or later, the
scammers will request some sort of advance fee supposedly to cover
administration, legal or delivery costs. This request for money
is the main purpose of the scam. At its core, this scam is just a
reworking of the Nigerian loan fraud, in which scammers also
eventually ask for upfront fees to facilitate the "deal". Like
Nigerian scams, victims who do actually pay the requested fees
will probably find that they receive continuing payment demands
to cover "unexpected expenses". The requests for money will go
on until the victim realizes what is happening or has no further
money to send.
The details of the lottery scams vary regularly with regard to the
name of the lottery itself, the country of origin, the sponsoring
organization, the amount of the "prize" and other particulars.
The scammers try to add a patina of legitimacy to their claims by
mentioning real financial institutions, government departments or
well-known companies. They may also provide links to slick looking,
but fraudulent websites that are designed to back up information
included in the scam emails. If the scammers are successful in
establishing a dialogue with a potential victim, they may provide
"proof" such as a scanned image of a supposed government official's
ID and even photographs of the "winnings" in cash.
If you receive one of these scam emails, it is important that you
do not respond to it in any way. The scammers are likely to act
upon any response from those they see as potential victims.
Although it can be educational and even entertaining to "bait" these
scammers, such endeavours should only be attempted under controlled
conditions. The people who run these scams are criminals and could
even resort to violence and intimidation to meet their aims.
I am currently gathering together a collection of examples and other
information about these lottery scams to be placed on the Hoax-Slayer
website. If you have been sent one of these scam emails, I'd be
glad to receive a copy.
A typical example of a lottery scam is reproduced below:
We happily announce to you the draw of the UK-LOTTO Sweepstake
Lottery International programs held on the 27th of March, 2004 in
Johannesburg, South Africa. Your e-mail address attached to ticket
number: 564 75600545188 with Serial number 5368/02 drew the lucky
numbers: 19-6-26-17-35-7, which subsequently won you the lottery in
the 2nd category.
You have therefore been approved to claim a total sum of
US$2,500,000.00 (Two million, Five Hundred Thousand United States
Dollars)in cash credited to file ktu/9023118308/03.This is from a
total cash prize of U.S $ 2.5 Million dollars, shared amongst the
first nine (9) luckywinners in this category.
All participants were selected randomly from World Wide Web site
through computer draw system and extracted from over 100,000
companies. This promotion takes place annually. Please note that
your lucky winning number falls within our European booklet
representative office in Europe as indicated in your play coupon.
In view of this, your U.S$2,500,000.00 (Two million, Five Hundred
Thousand United States Dollars) would be released to you by our
payment office in Europe.
Our European agent will immediately commence the process to
facilitate the release of your funds as soon as you contact him.
For security reasons, you are advised to keep your winning
information confidential till your claims is processed and your
money remitted to you in whatever manner you deem fit to claim
This is part of our precautionary measure to avoid double
claiming and unwarranted abuse of this program by some
unscrupulous elements. Please be warned.
To file for your claim, please contact our fiduciary agent:
Mr Richard Diwar
To avoid unnecessary delays and complications, please quote your
reference/batch numbers in any correspondence with us or our d
Congratulations once more from all members and staffs of this
program. Thank you for being part of our promotional lottery
SIR HENRY BERNARD.
Another ShadowCrew Prank
It appears that the Shadow Crew website is yet again the target
of pranksters. The latest prank email claims to be a transaction
confirmation message for three months access to child pornography.
Another child porn email supposedly from Shadowcrew was circulating
earlier in the year. These emails are quite similar to a prank
email that targeted DarkProfits.com.
At face value the email might seem to be a crude phisher scam in
that it requests recipients to send credit card information. Some
phisher scammers send emails that detail a fictitious credit card
charge and provide a link where recipients can supposedly cancel
the transaction. The link leads to a bogus website that requests
personal information from the user. However, in this case, a simple
email address is provided rather than a link, and different email
addresses are used in different instances of the prank email. The
email addresses point to customer service webpages belonging to
AT&T and I can see no obvious connection to the ShadowCrew website.
While it would certainly be very unwise to send sensitive financial
information via email, history suggests that this particular email
is more likely to be a hoax than a serious phisher scam. Another
was directed at the ShadowCrew site earlier in the year.
This email also looked like a phisher scam but was in fact a prank
designed to discredit Shadowcrew.com.
An example of one of the current prank emails:
ShadowCrew.com team thanks you for choosing our company
best 5 - 7 years old babies, the most uncensored pictures and
movies will beautify your collection,
Your access is valid for 3 months.
If you confirm this transaction, please reply to this message and
yourmember access will be automatically activated.
If you feel that transaction was made by mistake, please send a
message to email@example.com including your credit card information,
so we can be sure that the message is from you in real.
Thank you again,
An example of an earlier prank:
From: "Shadow Crew"
Subject: Your card has been billed for $149.95
Your credit card will be billed at $22.95 weekly and free 3
pack of child porn CD is shipping to your billing address.
To cancel your membership and CD pack please email full credit
card details to firstname.lastname@example.org
Ready to enjoy all types of underage porn? We have the best
selection for every taste! Click the secret link below and
UPS Uniform Hoax
This hoax is currently enjoying a new lease on life. The hoax
began circulating in early 2003 and has spawned a number of
variations, all equally untrue.
Some versions, including the example below, add a signature that
supposedly belongs to Kimberly Bush-Carr of the U.S. Department of
Homeland Security. However, these emails did not originate from a
government department. The inclusion of an official looking
signature is simply a ruse to add credence to the message's
There are several slightly different versions of the UPS Uniform
hoax, all referring to large purchases of United Parcel Service
uniforms on eBay. However, there have been no reports of large
eBay purchases of UPS uniforms, nor have large quantities of
uniforms been reported stolen. According to a Washington Post
both eBay and UPS deny the rumour.
Investigations by the FBI have debunked the stories of stolen
uniforms as nothing more than urban legends. The article also
notes that eBay "has barred sales listings of UPS or any other
contemporary delivery service uniforms, including airline
In a world increasingly concerned with the threat of terrorism,
it is not surprising that false alerts like this one are taken
seriously and spread so widely.
Subject: UPS Uniforms
Government Warning regarding purchase of UPS uniforms:
There has been a huge purchase, $32,000 worth, of United
Parcel Service(UPS) uniforms on eBay over the last 30 days.
This could represent a serious threat as bogus drivers
(terrorists) can drop off anything toanyone
with deadly consequences! If you have ANY questions when a
UPS driver appears at your door, they should be able to
furnish VALID I.D Additionally, if someone in a UPS uniform
comes to make a drop off or pick up, make absolutely sure
they are driving a UPS truck. UPS doesn't make deliveries
or pickups in anything, except a company vehicle If you have a
problem, IMMEDIATELY call your local law enforcement agency right
TAKE THIS SERIOUSLY! Tell everyone in your office, your family,
your friends, etc. Make people aware so that we can prepare
and/or avoid terrorist attacks on our people! Thank you for
your time in reviewing this and PLEASE send to EVERYONE on
your list, even if they are friend or foe.
We should all be aware!
Management Program Specialist
U.S. Department of Homeland Security
Bureau Customs and Border Protection
Washington, DC 20229
Hotmail Hoax still Going Strong
Variations of this email have been circulating since 1999 but it
is still a common visitor to in-boxes across the world. The
information in these messages is completely untrue. Like a lot of
hoax emails, this one banks on the fact that many people will hit
the "forward" button without analysing the information very deeply.
Even if Hotmail was "running out of resources", it would be highly
improbable for them to attempt to remedy the problem by asking
customers to forward an email. Why would Hotmail employ such a
vague, hit and miss method of checking on the status of account
holders? If Hotmail really wanted to find out if users still had
an active account they would be more likely to send an email that
asked for a *reply* within a given time frame rather than request
that the message be forwarded. Besides, I'm sure that Hotmail has
sophisticated and precise methods of checking the activity levels of
a given account that do not require the account holder to reply to
*or* forward a specific message.
Although the example below is aimed at Hotmail, variations on the
hoax have also targeted Yahoo and AIM instant messaging customers.
Regardless of the version, the best place for these messages is the
"Deleted Items" folder.
READ THE PARAGRAPH IF YOU WANT TO KEEP YOUR HOTMAIL ACCOUNT!!!!!!!!
Dear Hotmail User,
Because of the sudden rush of people signing up to Hotmail, it has
come to our attention that we are vastly running out of resources.
So, within a month's time, anyone who does not receive this email
with the exact subject heading, will be deleted off our server.
Please forward this email so that we know you are still using this
We want to find out which users are actually using their Hotmail
accounts. So if you are using your account, please pass this e-mail
to every Hotmail user that you can and if you do not pass this
letter to anyone we will delete your account.
A Yahoo Example:
DO NOT DELETE!!!! This is Yahoo President Jay Russell, I am sorry
to announce that Yahoo has reached its maximum number of accounts
two million. If you would like to keep your account for free send
this to everyone on your list. This way we can know which accounts
are being used and which accounts we can delete. Send this within
8 days and your account will remain free. Once again I am sincerely
sorry that I have to do this. Please start sending. Jay Russell,
Virus Report: Weekly Virus Wrap-Up
The list below represents some of the most significant new virus
threats identified by Symantec Security Response
over the last
is yet another Netsky variant and has been
afforded a category of 3 out of 5 by Symantec Security Response.
The worm searches the infected computer for email addresses and
sends itself to them using its own SMTP engine. The subject and
attachment names vary, as does the message itself. From lines of
the emails are spoofed.
is a variant of the worm discussed above and has
similar characteristics. The subject line of the email will be:
Delivery failure notice (ID-(random number))
There is a new variant
of the Blaster worm that can attack unpatched Windows 2000 and XP systems. Ensure that your system
is updated as soon as possible.
Feedback from Site Visitors
Each week a growing number of site visitors have been good enough
to submit examples of hoax or scam emails they have received.
If you receive a hoax or scam email, I would appreciate it if you
would send me a copy
A reader submitted a copy of the email forward below which she
reports has been circulating around various email discussion groups.
This sounds very much like a hoax to me. There is nothing on any
of the major anti-virus sites about a worm that comes with
Incredimail. If it were true, I think it would have been well
documented on various AV sites. Also, the message doesn't name
the alleged worm, nor does it back up the claim with any checkable
I have contacted Incredimail for a comment on this issue, but
they have not as yet replied. If you have received one of these
emails, or have some further information to add about them,
please let me know.
Subject: Fw: WARNING -- ----- Incredimail user !!! EVERYONE
The last version Of Incredimail Mx has a Worm in it That
Dosen't Show Upon Virus Scan Till Installed and Setup
Please Warn Others, As IF They Don't Watch It The Virus Can
Kill Their Anti-Viruses Ability To Function And Remain On Their
Hard Drive Causing A Complete Format To Remove It.
A lot of submissions this week involve lottery scams, the
UPS uniform hoax, and the Hotmail hoax. These are discussed
in detail above.
A number of submissions and page views were once again for
that classic among virus hoaxes, the Teddy Bear Virus Hoax
The article about Camel Spiders in Iraq
also proved to be a
popular page with site visitors.
Tip of the Week: Managing Downloads
For a while now I've been using a system of managing downloads
that I feel is quite effective, especially if you download a lot
First of all, I have a parent folder on my C drive that I call
"AAADownloads" so that it stays at the top in Windows Explorer
for easy access.
Every time I download a program, I create a new sub-folder within
this parent folder that has the same name as the software I'm
Normally I store all the files and folders associated with the
software in this sub-folder. I also create a plain text software
log for each download that records the following information.
To save time, I have a template file set up so I can just fill
in the blanks and save the resulting file to the new program's
I find that it can be really useful to have all the information
and files you need for a program in an easily accessible and
The Hoax_Slayer Newsletter is published by:
All Rights Reserved
©Brett M. Christensen, 2009
Questions or Comments