Spotting an E-mail Virus Message
We recently received the following e-mail in one of our mailboxes and figured it was a perfect way begin a letter about recognizing e-mail virus messages. The e-mail message read as follows:
Dear Sir/Madam,
we have logged your IP-address on more than 30 illegal Websites.
Important:
Please answer our questions!
The list of questions are attached.Yours faithfully,
Steven Allison++++ Central Intelligence Agency -CIA-
++++ Office of Public Affairs
++++ Washington, D.C. 20505++++ phone: (703) 482-0623
++++ 7:00 a.m. to 5:00 p.m., US Eastern time
The subject of the message was “You visit illegal websites” and had a To address of Z-User@GoBigWest.com. The From address was Admin@cia.gov.
The attached file was named list888.zip, however, as you would expect, the file was not a list of questions. Instead, it was a mass mailing worm known as W32.Sober.X@mm by Symantec (see http://www.sarc.com/avcenter/venc/data/w32.sober.x@mm.html for details). If we had opened the file, it would have installed itself on our computer, collected all of the e-mail addresses in our address book and started sending out more letters like the one above to our contacts.
Fortunately, we were able to easily determine that the message is fake and did not open the attachment. Unfortunately, there are many others who have fallen for this type of ruse, which is why these types of virus messages exist. That is why we want to point out some of the things you can look for to determine the authenticity of an e-mail message.
First, let’s look at the things the writers of the message have done to trick us into opening the attached file. They started by trying to convince us that the message was actually sent by the CIA. The From address is spoofed, or altered to appear as if the message was sent by a legitimate organization, and the contact information at the bottom of the letter is the correct contact information for the Office of Public Affairs (http://www.cia.gov/cia/contact.htm). Next, they try to scare us by making a claim about our online habits in order to make us behave emotionally instead of rationally. The subject of the message makes a straightforward accusation, which is seemingly supported by the message itself. Their goal is to make us start worrying about how to defend ourselves against the accusation instead of realizing that the accusation is false in the first place.
Now that we know how the virus writers are trying to con us, we can more easily see through their con. We know that we cannot determine the true sender of an e-mail by looking at the From address, so we are not fooled by the Admin@cia.gov address. Also, we know that the signature in the e-mail address, even though the contact information is correct, does not necessarily mean that the CIA sent the letter. In this case, the virus writers confident that very few people will take the time to call the number provided. Finally, we can be reasonably certain that the Office of Public Affairs, who acts as the point of contact for the CIA, would take the time to use proper capitalization and subject-verb agreement.
Since we know the message is not real, we know the accusations made in the message are not real and that the attachment is not a list of questions. If, however, you are unsure about whether or not a message is real, we still suggest that you do not open the attachment. It is best to never open attachments unless you know exactly what you are opening. Even if you know the person who sent the message to you, remember that it is easy to disguise the true sender of a message. When in doubt, contact the person and verify that they sent the message.
