Debunking email hoaxes and exposing Internet scams since 2003!

Hoax-Slayer Logo Hoax-Slayer Logo

Home    About    New Articles    RSS Feed    Subscriptions    Contact
Bookmark and Share

Issue 56 - Hoax-Slayer Newsletter

Issue 56: November, 2005

This month in Hoax-Slayer:
FBI Virus Emails - Sober Worm

Another variant of the Sober worm, Sober X, is currently hitting inboxes around the world. A frightening aspect of this worm is that it may arrive as an email attachment that pretends to be from America's Federal Bureau of Investigation (FBI). Some version claim to be from the CIA rather than the FBI. The virus email claims that the recipient has been logged visiting illegal websites, and asks him or her to open the attached file to answer a list of questions. However, opening the attachment can infect the computer with a varaint of the Sober worm.

It hardly needs to be said that the email is not really from the FBI. Information on the FBI's website, states that:
We're sorry to report yet another wave of virus-laden e-mails sent out with false FBI addresses. This particular e-mail claims the FBI has been monitoring your Internet use...says you've accessed so-called illegal websites...and demands you answer questions—all you have to do is open an attachment, maliciously laced with a variant of the w32/sober virus.

Don't do it! In fact, don't EVER respond to unsolicited poison pills like these. The FBI does not conduct business this way.
The CIA website also warns vistors about these bogus emails:
Some members of the public have in the past few days received a bogus e-mail falsely attributed to CIA's Office of Public Affairs. CIA did not send that message. In fact, it does not send unsolicited e-mail to the general public, period. If you have gotten such a message, we strongly encourage you not to open the attachment, which contains a destructive virus.
The hidden purpose of this virus message is simply to panic recipients into clicking on the attachment and inadvertently infecting their machine. Sober X can also arrive as fake "Delivery Status Notification" message, emails that promise free Paris Hilton videos, and a variety of other messages.

Another variant of Sober that was hitting inboxes in early 2005 used very similar tactics.

For details about this worm and what to do about, access the Symantec write-up about Sober X by following the link below:

Such ruses are a common ploy used by virus creators. Worms can also arrive disguised as Microsoft security patches, free screensavers or other software, love letters and compromising photographs just to name a few.

Computer uses should always be very cautious of emails that arrive with attachments, even those that appear to be from people they know and trust. Many modern Internet worms use spoofing techniques (see article later in this issue) to disguise the real origin of infected emails.

Reliable, and up-to-date, anti-virus software is an essential requirement for Internet enabled Microsoft Windows based computers.

FBI Version:
Subject : You_visit_illegal_websites

Dear Sir/Madam,
we have logged your IP-address on more than 30 illegal Websites.


Please answer our questions!

The list of questions are attached.

Yours faithfully,
Steven Allison

*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000

CIA Version:
Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Please answer our questions!
The list of questions are attached.

Yours faithfully,

Steven Allison

++++ Central Intelligence Agency -CIA-
++++ Office of Public Affairs
++++ Washington, D.C. 20505
++++ phone: (703) 482-0623
++++ 7:00 a.m. to 5:00 p.m., US Eastern time


Phenylpropanolamine FDA Recall Warning Email

The widely circulated email forward included below warns recipients that medications containing phenylpropanolamine (PPA) have been recalled by the US Food and Drug Administration (FDA). The message contains a long list of products that supposedly contain phenylpropanolamine and therefore should be avoided.

The core information in this email forward was true several years ago. However, the information it contains is now very outdated and is therefore of little value in 2005 and beyond.

In November 2000, the FDA issued a Public Health Advisory concerning the safety of products containing phenylpropanolamine hydrochloride. The advisory noted that the "FDA is taking steps to remove phenylpropanolamine from all drug products and has requested that all drug companies discontinue marketing products containing phenylpropanolamine."

The FDA issued this health advisory after a study revealed that using phenylpropanolamine "increases the risk of hemorrhagic stroke (bleeding into the brain or into tissue surrounding the brain) in women. Men may also be at risk."

Consequently, in the years since this advisory was issued, pharmaceutical companies selling products in the US have indeed removed phenylpropanolamine from their products as requested by the FDA. Therefore, the medications listed in these emails have, in all likelihood, been reformulated and no longer contain phenylpropanolamine.

In fact, the FDA's Phenylpropanolamine (PPA) Information Page advises that people ignore these emails and check the labels of individual medications instead:

FDA is aware of emails circulating widely that list many products allegedly containing PPA. These emails, however, generally contain dated and inaccurate information and should be ignored.

The FDA recommends that consumers read the labels of OTC drug products to determine if the product contains PPA. The Agency believes this to be the most accurate method for determining the PPA content of OTC products rather than providing an incomplete or out-of-date list of products that may have already been reformulated and no longer contain PPA.

If consumers still have medications purchased several years ago, they should certainly check the labels to ascertain if PPA is present.

Other nations have also taken steps to control phenylpropanolamine or educate the public about its use.

Australia's Therapeutic Goods Administration notes:
In June and July of 2001 the last remaining products containing PPA were voluntarily withdrawn from the Australian market by their sponsors. There are now no products containing PPA authorised for supply in Australia.
In 2001, Health Canada initiated a regulatory process to "remove all products containing PPA from the Canadian market".

Information about the phenylpropanolamine debate from a UK perspective is available in a Pharmaceutical Journal article from November 2000.

Due to the seriously outdated nature of the information in this email, forwarding it to others seems counter-productive. A wiser course of action would be to make yourself and others aware of the issues surrounding phenylpropanolamine and to carefully check the labels of medications before dosing. The list of resources included below provides access to more comprehensive information about phenylpropanolamine.

Phenylpropanolamine Information Resources:
FDA Phenylpropanolamine (PPA) Information Page
FDA Public Health Advisory Phenylpropanolamine
Questions and Answers Safety of Phenylpropanolamine
Health Canada Notice
Australian Therapeutic Goods Administration Phenylpropanolamine
Is phenylpropanolamine in UK products really unsafe?
No UK ban for phenylpropanolamine
MedlinePlus Drug Information: Phenylpropanolamine (Systemic)
Phenylpropanolamine and the Risk of Hemorrhagic Stroke

An example of the email:
Drug Recall (Very Important Please Read )

All drugs containing PHENYLPROPANOLAMINE are being recalled. You may want to try calling the 800 number listed on most drug boxes and inquire about a REFUND. Please read this CAREFULLY. Also, please pass this on to everyone you know.

STOP TAKING anything containing this ingredient. It has been linked to increased hemorrhagic stroke (bleeding in brain) among women ages 18-49 in the three days after starting use of medication.

Problems were not found in men, but the FDA recommended that everyone (even children) seek alternative medicine.

The following medications contain Phenylpropanolamine:

[List of medications removed]

They are asking you to call them at [Number Removed] with the lot number on the box so they can send you postage for you to send it back to them, and they will also issue you a refund. If you know of anyone else with small children, PLEASE PASS THIS ON. THIS IS SERIOUS STUFF!

DO PASS ALONG TO ALL ON YOUR MAILING LIST so people are informed. They can then pass it along to their families.

To confirm these findings please take time to check the following:


Drivers Licence on the Internet

The email forward included below is simply the bait for a classic "gotcha" joke and should not be taken seriously. You cannot actually view drivers licence information on the site by entering a name, city and state into the website mentioned in the message. Visitors who do enter the requested details eventually arrive at a "results" page that displays a fake driver's licence that includes an amusing image in place of the usual licence holder's photograph. It does not matter what data is entered into the "search", as the end result will be the same. Even completely fabricated information will generate an identical result.

The site claims that the information entered is not collected and I have no reason to doubt this claim. The following statement is included on the "results" page:
Privacy Policy: This site did not collect the name you entered. It was used only to simulate the joke search and generate the image above.
The website is actually rather clever and, since no real driver's licence information is revealed, it does not compromise the privacy of licence holders in any way. Unfortunately, many people are forwarding the message onward without bothering to go to the site and check it out. Seemingly, many recipients are taking the email at face value and actually believe the information it contains to be true. These days there are a plethora of real threats to our privacy so obscuring the truth by perpetrating false invasion of privacy stories is less than desirable.

Having said that, taken in context, the site represents an enjoyable prank. If you have a minute, you might like to visit the site mentioned and enter some data in order to test the joke for yourself. As stated above, the name you enter does not need to be real. If you are concerned about providing your name on the site, just invent one. The end result will be the same.

An example of the prank email:
This is serious people... I just deleted mine!!!

This is upsetting but I thought I should pass it along. Check your drivers license. Now you can see anyone's Driver's License on the Internet, including your own! I just searched for mine and there it was.. .. picture and all!! Thanks Homeland Security! Where are our rights?

I definitely removed mine. I suggest you do the same. . .

Go to the web site and check it out. Just enter your name, city and state to see if yours is on file. After your license comes on the screen, click the box marked "Please Remove". This will remove it from public viewing, but not from law enforcement.


Delta Air Lines Free Flight Hoax Email

The email hoax shown below claims that recipients will be eligible for free air flights just for sending the message to a specified number of people. It strongly resembles a 2003 hoax email that targeted British Airways (see example below). The claims and much of the phrasing in both messages are virtually identical. There is nothing on the Delta Airlines website that backs up the spurious claims made in the email.

Both the Delta hoax and the earlier British Airways version mirror dozens of other foolish pranks that claim recipients can gain goods or services simply by forwarding an email. No legitimate company would run a promotional campaign based on how many times an email was forwarded. Any message that makes such a claim is almost certainly a hoax. This email could have easily reached thousands of recipients within days of its "launch". If the claims in the message were factual, Delta Airlines would find itself obligated to hand over large numbers of free air flights for each week that the email campaign continued. Given that Delta Airlines did indeed file for bankruptcy in September 2005, it is highly unlikely that the company would launch such an expensive "giveaway" promotion.

Furthermore, the message makes the ridiculous claim that the email is being "tracked". There is no technically feasible method of "tracking" an email message that might be forwarded hundreds of thousands of times. The email would be sent in different formats via a variety of email programs and service providers around the planet. The logistical challenges of keeping track of who sent the message and how many times each individual sent it are mind-boggling and would transcend the abilities of even software giant, Microsoft. This claim that the supposed giveaway is dependent on some form of automatic tracking mechanism strongly indicates that the information is untrue.

These messages do nothing more than add to the garbage in our all ready spam-laden email inboxes. If you receive such a message, please do not forward it to others.

An example of the hoax email:
I contacted the Delta public relations office - THIS IS REAL!!!!!!

Due to the recent news regarding our Bankruptcy, the number of passengers flying Delta world-wide has fallen dramatically.

We at Delta Airlines have launched an national media campaign which aims to fill our aircraft once again. A part of this campaign is direct email advertising.

This is where YOU come in!

Delta Airlines, along with Microsoft are tracking this email, and for every 5 people you forward this to, you will receive a round trip flight to any destination in the continental U.S. Send this email to 10 people and you are eligible to fly ANYWHERE in the world round trip!

Simple as that!

However, that only catch is you MUST travel BEFORE December 31st 2005.

You will be contacted via email within 5 working days for your full contact information and booking details.

Note: one flight per person only.

Older British Airways version:
I thought this was bollocks, but they got back to me within a week!!!!!!!! I contacted the London BA office - THIS IS REAL!!!!!!

Due to the SARS and the recent war in Iraq, the number of passengers flying world- wide has fallen dramatically. We at British Airways have launched an international media campaign which aims to fill our aircraft once again. A part of this campaign is direct email advertising. This is where YOU come in! British Airways, along with Microsoft are tracking this email, and for every 5 people you forward this to, you will receive a flight to London return from any destination in the world (if your in the UK, you can fly to any Asian destination return). Send this email to 10 people and you are eligible to fly ANYWHERE in the world return to your depature point!

Simple as that!
However, that only catch is you MUST travel BEFORE 31st October 2003. You will be contacted via email within 5 working days for your full contact and booking details.

Note: one flight per person only.

Delta Air Lines Website
Delta Air Lines Files for Chapter 11 Reorganization to Address Financial Challenges
British Airways Giveaway Hoax


Outstanding Computer Security Tutorial eBook

I am very pleased to acknowledge that I am now an affiliate for The Hacker's Nightmare™, an excellent computer security tutorial eBook suitable for users of Windows based computers. At the outset, I'd like to make clear that I only review affiliate products that I truly believe are outstanding in their field and represent great value for customers.

Before signing up as an affiliate, I purchased a copy of The Hacker's Nightmare™ and read it from cover to cover. I believe it to be an extremely valuable computer security resource that is well worth the purchase price. Although I already had a reasonably advanced understanding of computer security issues, this book filled up several gaps in my knowledge and helped me to ensure a truly robust state of computer security for my small home network.

One of the great advantages of The Hacker's Nightmare™ is that it is presented in plain English and even inexperienced computer users should have no problems understanding and implementing the advice it contains. The book unfolds as a step-by-step tutorial that shows you how to secure your computer and practice safe and efficient computing. The book eloquently explains why a particular computer security or safety procedure is necessary. It then supplies detailed instructions about how to implement the procedure. For example, if the author, Bill Hely, recommends that readers install a particular program, he explains why the software is necessary as well as how to download, install and configure it. The book runs to almost 500 pages, so while it is easy to understand and does not drown the reader in jargon or unnecessary technical details, it does thoroughly cover a wide range of computer security and safety issues.

Bill Hely writes very well, and he has incorporated a great many screen shots and illustrations that make it quite simple to follow the instructions he provides. The book is in .pdf format, so that you can download and begin reading immediately after purchase.

Regardless of whether you are a new computer user running a single machine, you maintain a home network for your family or you are responsible for computers in a business environment, this book can help you implement a very high level of computer security. What's more, The Hacker's Nightmare™ gives you the knowledge to achieve this high level of computer security without the need to outlay large fees for professional security consultants or highly priced software.

Millions of computers around the world run virtually unprotected from hackers, worms, viruses, trojans, spyware, spammers, scammers and all manner of heinous cyber-scum. The good news is that even the most inexperienced computer user can very effectively take control of all the threats listed above by implementing the free or inexpensive computer security methods outlined in The Hacker's Nightmare™. Unfortunately, many people still think that they do not really need to secure their computers or that good computer security is "too hard" or "too expensive" for "ordinary" computer users. The Hacker's Nightmare™ very effectively lays all these dangerous myths to rest.

Many computer users who think they have adequate computer security in place might be shocked to find out how vulnerable their systems really are. If every Windows computer user read and implemented the knowledge contained in The Hacker's Nightmare™, the Internet would be a much safer and more productive environment in which to work and play. I unreservedly recommend this book for all those who want to ensure that their computers and their information remains safe and secure.

Visit The Hacker's Nightmare now


Pharming – An Overview

Hopefully, an increasing number of web users are now aware of how phishing scams work. A typical phishing scam operates as an evil duo comprising a fraudulent email closely coupled to an equally fraudulent website. The scam email, supposedly from a well-known company or financial institution, is intended to trick recipients into following a link to the fake website and providing sensitive personal information.

Phishing's more sophisticated first cousin is a technique known as "pharming". Like phishing, pharming coerces victims into visiting a fake website and supplying information. However, instead of tricking recipients into clicking on an email link, pharming can secretly redirect victims to a fraudulent website directly from their web browser. Pharming effectively eliminates the need for "bait" emails and is therefore potentially more dangerous than "normal" phishing scams and can cast a wider "net" in which to snare victims. Even phishing-savvy web users could fall victim to a pharming scam without realizing it.

In order to make pharming work, scammers may compromise a victim's system directly by secretly installing malicious software on his or her computer or modifying the browser's hosts file. Alternatively, the scammers may use "DNS cache poisoning" to effectively compromise the DNS server.

What this means in plain English is that, even if you manually enter the web-address of your bank or financial institution directly into your browser, or click on a saved bookmark, it is possible that a pharming attack could cause your browser to unobtrusively redirect to a fraud site. If the scam site is made to resemble the legitimate website of the targeted institution, a victim could enter account numbers, passwords and other sensitive information before he or she realized what was happening.

Currently, pharming does not appear to be as common as phishing. However, many computer security experts are predicting that pharming attacks will continue to increase as more criminals embrace these techniques. To help protect yourself from pharming, you should make sure that the secure website you are visiting has a valid certificate of authority from a trusted service such as VeriSign. Before entering sensitive personal data on the website, click the "lock" icon in the browser's status bar to view the certificate. Ensure that the name on the certificate corresponds to the site you are viewing. You should also run anti-virus and anti-spyware software, keep your operating system and browser updated with the latest security patches and use a reliable firewall. As with all aspects of Internet security, simple vigilance is a crucial defensive weapon. For example, if your Internet banking site suddenly seems subtly different in layout and styling and /or some of the links don't work as expected, it is possible that you have been secretly redirected to a scam site.

The technical aspects of pharming are quite complex and I have only touched the surface of the subject here. This article is intended to offer a brief overview of pharming. The list of resources included below should prove useful for those interested in finding out more about pharming.

Pharming Resource List:
Attorney General Foti Warns of New ID Theft Scam: "Pharming"
First Was Phishing, Next Is Pharming
Alarm over 'pharming' attacks
Phishing and pharming
Don’t Get 'Pharmed'
Don't Let Your Users Buy the 'Pharm'


Mobile Phone Misinformation - XALAN and #90 Hoax

TThe supposed warning for mobile phone users shown simply combines two other hoaxes. None of the information provided in the email is valid for mobile phone users.

The first part of the hoax email claims that pressing #09 or a similar combination of digits will give a fraudster access to your sim card and allow him or her to make calls at your expense. This is untrue and has been denied by Australian telecommunications giant, Telstra.

Another version of the hoax claims the same trick can be used to hijack fixed phones. Although such a scam is theoretically possible on certain types of business telephone switching equipment that requires users to dial "9" to get an outside line, normal home phones or mobile phones are not vulnerable.

For more information about the #09 hoax, see:
Nine Zero Hash Phone Scam Hoax

The second part of the hoax claims that a virus that displays the word "XALAN" can destroy your mobile phone. This information is untrue. Although mobile phone viruses are possible, there is no virus like the one described in the email message. There are a number of alternative versions of the "warning" message, some of which list the word displayed as "UNAVAILABLE" or "ACE" rather than "XALAN". Telstra has denied the existence of such viruses.

For more information about phone virus hoaxes, see:
Mobile Phone Virus Hoax

Telstra Mobile: Mobile phone hoaxes

An example of the hoax email:
Dear All,

If you receive a phone call on your mobile from any person, saying that, he or she is a company engineer, or telling that they're checking your mobile line, and you have to press # 90 or #09 or any other number. End this call immediately without pressing any numbers. There is a fraud company using a device that once you press #90 or #09 they can access your "SIM" card and make calls at your expense. Forward this message to as many friends as you can, to stop it.

All mobile users pay attention if you receive a phone call and your mobile phone displays (XALAN) on the screen don't answer the call, END THE CALL IMMEDIATELY, if you answer the call, your phone will be infected by a virus..

This virus will erase all IMEI and IMSI information from both your phone and your SIM card, which will make your phone unable to connect with the telephone network. You will have to buy a new phone. This information has been confirmed by both Motorola and Nokia.



Engineering Marvel Email Forwards

Several emails have been circulating lately that describe incredible feats of engineering and back up the information with rather compelling images. Refreshingly, the email forwards are factual. One discusses a "water bridge" that has been built in Germany. Another includes information and a photograph about an amazingly high bridge situated in France. Yet another features an incredible glass skywalk that is being constructed at the Grand Canyon.

Follow the links below to access Hoax-Slayer articles about these "engineering marvel" emails:

Water Bridge in Germany

French Millau Viaduct - Amazing Bridge

Glass Skywalk on the Grand Canyon


Birthday List Chain Email - Somebody Born Every Day

The foolish chain letter shown below travels extensively via email and is also commonly posted to online message boards. The message asks that recipients add their name and country to the date on the list corresponding to their birthday before sending the message to all of their friends. Apparently, the purpose of the exercise is simply to fill up the calendar with at least one name for every day in order to illustrate that there is "somebody born on each date of the year". Of course, it goes without saying that somebody will be born on each day of the year. In fact, according to U.S. Census Bureau data for 2005, an estimated 356,000 "somebodies" are born each day. Curious web users can visit the worldmeters website to see continually updated daily figures for world births. In fact, there is a great deal of statistics pertaining to world population readily available. Clearly, there is no need to try to prove the very obvious fact that people are born every day by circulating a silly chain letter.

This exercise might be vaguely more interesting if there was some central mechanism such as a website that attempted to consolidate and display the collected information in permanent form. As it stands, there are likely to be thousands of separate versions of the message haphazardly crisscrossing around the world's inboxes. Although some instances of the message might manage to collect one or more names for each day of the year, many of those who participated are unlikely to ever get to see the completed list.

This chain letter might seem rather harmless and certainly it is a lot less malicious and disruptive than many other hoaxes. However, perpetrating the message by sending it onwards just wastes bandwidth for no good reason. These messages also add to the general dross that increasingly clogs our email inboxes. Given the inherent pointlessness of attempting to compile such a "birthday list", I'd suggest that hitting the "Delete" button in your email client would be the most appropriate way to handle this message.


This is kind of cool! Out of all of the billions of people who live in the world, there has got to be somebody born on each date of the year. We are going to try to accomplish the task of seeing if we can fill the calendar up with a birthday on every day of the year. Add your name and your country next to your birth date to the list below. Then send this list to all of your friends, plus the person who sent it to you! Lets see if we can do it!

Remember, COPYING and PASTING this to NEW E-mail will keep it clean and make it easier to read than just forwarding it. If someone has already put their name in the slot of your birthday please just add your name beside and DO NOT DELETE THAT PERSON'S NAME! KEEP IT GOING Thanks!

January 1~~ [Names Removed]

January 2~~ [Names Removed]

January 3~~

January 4~~ [Names Removed]

[Continues to December]


How Email Worm Spoofing Works

A lot of modern worms use email spoofing when they send themselves from an infected computer. This spoofing tactic has led to a great deal of finger pointing and confusion among Internet users. Because of spoofing, it may appear that person A sent person B a worm-infected email when this was not the case. Thus, spoofing increases the negative impact of worm outbreaks because it leads to unfair accusations, miss-directed warnings, and the erroneous blacklisting of email addresses.

Simply put, spoofing as it relates to worm dissemination, works like this:

  1. Someone who has your email address stored somewhere on her or his computer, becomes infected by a worm that uses spoofing.

  2. The worm searches for email addresses on the infected computer and sends itself to them.

  3. The worm inserts one of the email addresses it finds in the "From:" field of the virus emails it sends. In other words, it may use your address in the "From:" field, which tricks unwary recipients into thinking that the virus came from your computer.

Thus, even though you may practice safe computing and have a worm free machine, you may be unfairly accused of spreading the infection. Meanwhile, the actual sender may remain unaware that his or her machine is infected.

If you are unfairly accused:

  1. First, make sure your system really is free of infection by running a full system scan with up-to-date anti-virus software.

  2. Next, reply to the accuser with an explanation of spoofing and assure him or her that your system is not infected. Try to include a link to a webpage that provides information about email worm spoofing to back up your statement.

If you receive a worm-infected email, don't immediately fire off an email that accuses the apparent sender of posting you the worm. If possible, look up information about the worm on an Anti-Virus website such as Symantec and try to determine if the worm is one that uses spoofing. You may also be able to verify the actual sender by checking the headers of the email carrying the worm. View a detailed explanation of interpreting email headers.

You can help to reduce the impact of worm outbreaks by being aware of this spoofing issue and informing others where necessary.


Hoax-Slayer Humour: Window Washer Scam (Just a Joke)

I have thoroughly researched this supposed scam. For the last few days I have driven around town for several hours at a time, very slowly with the back doors of the car unlocked. To give any scammers ample opportunity to perpetrate their heinous deeds, I even kept the vehicle stationary through several traffic light cycles at a lot of intersections. Unfortunately, it appears that this scam is just another urban myth (sigh).

An example:
Subject: New Scam

This new scam is being pulled mainly on older men. What happens is that when you stop for a red light a young, nude woman comes up and pretends to be washing your windshield. While she is doing this another person opens your back door and steals anything in the car. They are very good at this.

They got me 7 times Friday and 5 times Saturday. I wasn't able to find them on Sunday.


The Hoax_Slayer Newsletter is published by:
Brett M.Christensen
Queensland, Australia
All Rights Reserved
©Brett M. Christensen, 2008
Questions or Comments