Hoaxes, myths,
urban legends





About us


Truth about computer security hysteria
Truth About Computer Security Hysteria

NaughtyRobot spider

CATEGORY: Hoax virus alerts

This hoax surfaced in January 1997 when Internet users received messages from themselves, "sent to you by NaughtyRobot, an Internet spider that crawls into your server through a tiny hole in the World Wide Web."

The hoax goes on to claim NaughtyRobot captured the user's credit card numbers, home phone number, physical address, and other "personal, private, and sensitive information." It warns users to "alert your [Internet provider], contact your local police, disconnect your telephone, and report your credit cards as lost."

These seed messages scared numerous Internet users who then sent "first-person" warnings to everyone in their email address book. Many of these warning messages turned into chain letters, with each frightened recipient forwarding it on to everyone they knew.

Like many hoaxes, NaughtyRobot plays on a user's fear — in this case, fear of "the oxymoron of 'Internet security.' " Unlike most hoaxes, NaughtyRobot didn't begin as a chain letter. Its perpetrator instead used a well-known parlor trick to spoof the email address of each recipient, making it look like the message came from themselves. Frightened users who didn't know the trick started their own chain letters when they read the seed message.

And when the experts say "well-known," they mean it. Boardwatch editor Jack Rickard described this childish technique in a 1995 column — an ancient parlor trick even back then. "It is hardly a hack to 'spoof' mail ... [simply because] the Internet sports thousands of 'promiscuous' simple mail transport protocol (SMTP) servers." Things to ponder:

  1. Suppose an "Internet spider" really could glean your physical address, phone number, etc. Ask yourself: why don't law enforcement agencies use this technique to catch the people who break into government websites?
  2. Copycats spring out of the woodwork after every successful Internet hoax. You can expect similar email-spoof tricks to appear on April Fool's Day.
  3. Some people claim the perpetrator used an "ActiveX spider" to plant seed messages. This rumor surfaced after an online story quoted NCSA's Jonathan Wheat, who merely speculated it. (The story acknowledges his speculation; it just got lost in the subsequent rumor.) In a private message, Wheat noted "there are somewhat easier ways to do this depending on [the perpetrator's] technical background."
  4. Question anyone who claims naïve users reported their cards as lost or stolen. It seems plausible to assume this (given the intense level of hype about Internet security) — but no one has yet laid their credentials on the line to label it a fact.

Last updated: 2000/10/2