Weird Computer-Worm Social Engineering Story

I can't make this stuff up:

A child porn offender in Germany turned himself in to the police after mistaking an email he received from a computer worm for an official warning that he was under investigation....

Seems like the e-mail was actually from a worm, and not a sting operation by the police. But who knows?

Posted on December 23, 2005 at 3:30 PM • 18 Comments

Comments

Davi OttenheimerDecember 23, 2005 4:21 PM

Yes, the Sober.Y worm uses a very official-sounding message to entice people just to open the attachment. The authors might have thought it would be funny to give people a scare, but someone turning themselves in has to be beyond their wildest expectations.

In English the worm says

"we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached"

The German one says

"Wir moechten Ihnen hiermit vorab mitteilen, dass Ihr Rechner unter der IP erfasst wurde. Der Inhalt Ihres Rechner wurde als Beweismittel sichergestellt und es wird ein Ermittlungsverfahren gegen Sie eingleitet. Die Strafanzeige und die Moeglichkeit zur Stellungnahme wird Ihnen in den naechsten Tagen schriftlich zugestellt."

http://www.f-secure.com/v-descs/sober_y.shtml

LeeDecember 23, 2005 5:47 PM

I think this is one of those very rare occasions when you can say well done to the author of the worm!

another_bruceDecember 23, 2005 5:55 PM

i saw this on yahoo 2-3 days ago.
stupid pedos do stupid things.
we need to investigate how to leverage stupidity into law enforcement and anti-terrorism. there's so much stupidity out there, it's time to make lemonade from this vast, renewable resource.

IkesterDecember 23, 2005 6:07 PM

Could title this one, "Phishing for pedophiles". ;)

"Hey guys, look what I caught on the hook. It's a bottom feeder but no way it's going back!"

Chris WalshDecember 23, 2005 6:17 PM

Next up, the "NSA Worm":

'We know you've been in communication with Osama. Please run down to the nearest DHS office. And bring a toothbrush.".

B-ConDecember 23, 2005 7:14 PM

Why spend millions trying to track down specific crimminals when you can just brute-force the job and send everyone a threatening e-mail, hoping they'll all just turn themselves in?

Richard BondiDecember 23, 2005 10:25 PM

I just wanted to translate the German, since no one else has:

We wish to inform you in advance that your computer has been identified under the ip address [x.x.x.x]. The content of your computer has been secured as evidence, and legal proceedings have begun against you. The charge and an opportunity to pleed will be mailed to you in the next few days.

jammitDecember 24, 2005 12:10 AM

Wait. That wasn't a real email I recieved? Oh crap...
Cops do something like this on a regular basis. They'll send mail (snail type) to addresses (meat space type) of people they know who have jumped bail, and also to people who are close to the perp (mom, dad, dad#2) saying they've won a car (or "trip", ha ha). After getting the mark to show up at a business and sign his name on a release form, they then bust him. Pretty hilarious.

ItaiDecember 25, 2005 7:54 AM

I offered (http://itail.blogspot.com/2005/12/spamming-for-vigilante-justice.html) the following thought-experiment -

Suppose someone really tries to call for vigilante justice "the Sober way". He writes the following email and send it to millions randomly selected email addresses across the globe.

"You thought you'll get away with this, but guess what ? I've got it all on tape !!!
Now here's the deal. As much as I'd like to see you rot in jail for the rest of your life, I'll graciously give you exactly 24 hours to do the right thing and turn yourself in, before I'll make the tape public and your sentence will be much more painful.
This is my first and last warning and you know I'm not joking !

Your 24 hours start now -- You know who"

What do you think will happen ?

AnonymousDecember 25, 2005 10:51 AM

Few crimilans will turn themselves in, among with few innocent idiots. There's few such idiots per million i think.

Jim HyslopDecember 26, 2005 12:06 PM

"I think this is one of those very rare occasions when you can say well done to the author of the worm!"

I don't agree. OK, so one man got busted for viewing (not creating) child porn - at the expense and inconvenience of millions of others who've had to endure the effects of this worm. Is that a good trade-off? I don't think so.

As Bruce Schneier has frequently pointed out, worms are bad, regardless of the intent or the effect.

Mind you, I'm not saying this particular incident wasn't funny - I'll still chuckling and shaking my head over it.

Alun JonesDecember 27, 2005 11:09 AM

Depending on who you ask, it might have been Arthur Conan Doyle, or Samuel Clements who sent anonymous telegrams to several of his acquaintances with the simple message "All is discovered. Flee at once."

The claim is that none of the recipients could be found in town shortly after the telegrams were sent.

So, yes, social engineering (such as this worm, or other less nefarious types, such as horoscopes, cold-reading, etc) works in part because people share a lot in common with one another, that they each believe is theirs alone.

This keeps cropping up in security in various ways - people who use the same password as one another; worms that persuade their victims that they know something about the victim, and must therefore be trusted; people who do the same thing (imagine someone comes up to your kid at school, and tells them that he's a friend of yours, including identifying information - would your kid accept that as a reason to trust?); tailgaters at smart-card protected doors (or generally 'secured' areas that you can get into simply by looking as if you are not out of place); etc, etc.

Ed T.December 28, 2005 7:38 AM

@Jim Hyslop:

Amen, brother! The really scary thought is that some anti-pedo (or anti-drinking, or anti-gambling, or anti-whatever) group will push for some type of legal mandate to send these types of email out "to the whole Internet" periodically, to see what types of phishees turn up in the net. And, since it will be done "for the children" or "for National Security" or for whatever damn reason they think is so important, then it will all be OK, as the ends will justify the means. After all, it is For Our Own Good (Not.)

-EdT.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..