Please don't spread the Facebook "giraffe picture" hoax!

Filed Under: Facebook, Featured, Uncategorized

A bizarre warning is circulating on Facebook urging you not to change your profile picture to a giraffe.

When I heard about this, my first reaction was, "Of all the things I could choose to represent myself, what's the chance that today I'd suddenly want it to be a giraffe?"

My next thought was, "But if I were to decide on a giraffe - and they are majestic animals, let's face it - why would that be a problem?"

The whole thing is a load of rot, of course, and just the latest in a long line of internet hoaxes.

The advice in the hoax

The bogus reasoning in the hoax is somewhat contorted, but it seems to go something like this:

  • There's a Facebook game in which players who fail to answer a riddle correctly are urged to set their picture to a giraffe as a harmlessly light-hearted signal they got it wrong.
  • Crooks have tried to take advantage of this by poisoning Google's image searches with booby-trapped giraffe images.
  • These booby-trapped JPEG files install malware with a range of dangerous side-effects, including stealing your username and password.
  • So don't change your profile picture to a giraffe.

There's enough here to be mildly believable: readers may have heard of the riddle that asks you to change your profile picture if you get it wrong; search engine results can be manipulated by cybercriminals; and software bugs have been found in the past that allowed booby-trapped JPEG files to deliver malware.

Why it isn't true

It's all a pack of made up rubbish - and here's how you can tell.

Way back in 2004, a lot of media coverage was given to a JPEG vulnerability in the heart of Windows.

This security hole could, in fact, have allowed booby-trapped images on web pages to inject malware onto your computer, in the same way that booby-trapped DOC and PDF files are often used for that purpose these days.

Patches from Microsoft headed off that vulnerability at the pass with security update MS04-028, but the concern at the time was understandable, since the JPEG format was, and still is, one of the most commonly-used image types on the internet.

Indeed, if you dig around online for nine-year-old stories about the MS04-028 vulnerability, you will find articles like this one:

A virus that exploits the recently discovered JPEG vulnerability has been discovered spreading over America Online's instant-messaging program....

"It's been done in the past, but with HTML code instead of the JPEG," said Johannes Ullrich, chief technical officer for SANS' Internet Storm Center, the organization's online-security research unit. "It is a virus, but it didn't spread very far. We've only had two reports of it."

...The code also installs a back door that can give hackers remote control over the infected computer. Antivirus expert Mikko Hypponen of F-Secure warned on Wednesday that the JPEG exploit can also dodge antivirus technology.

Guess what?

According to the Hoax-Slayer website (which has itself been around since 2003), the current hoax tells much the same story, with some minor changes in detail, and some deliberate mis-identification of the "experts" being quoted (my emphasis):

A virus that exploits the recently discovered JPEG vulnerability has been discovered spreading over google's giraffe pictures.

"It's been done in the past, but with HTML code instead of the JPEG," said James Thompson, chief technical officer for SANS' Internet Storm Center, the organization's online-security research unit. "It is a virus, but it didn't spread very far. We've only had two reports of it."

...The code also installs a back door that can give hackers remote control over the infected computer. Antivirus expert Fred Hypponen of F-Secure warned on Wednesday that the JPEG exploit can also damage your Iphone if you charge it with your computer.

Johannes Ulrich, quoted back in 2004, is still the Internet Storm Center CTO, not James Thompson.

And although F-Secure's best-known antivirus expert is indeed - today as in 2004 - a certain Mr Hypponen, his first name is Mikko, not Fred.

Adding a modern twist

The introduction of the warning about charging your iPhone gives the old story a bit of a modern twist, and takes advantage of a recent expose about the potential risk to iPhones (now patched) posed by booby-trapped chargers.

The current hoax apparently also adds a bogus detail to say that:

By default, antivirus software only scans for .exe files. And even if users change the settings on antivirus software, the JPEG file name extensions can be manipulated to avoid detection.

That's not true either.

An on-access (real time) virus scanner - the component that prevents virus infection by blocking files before they open - will generally identify files by their content, meaning that the extension is largely irrelevant.

And if you change the settings on your on-demand scanner, you can just set it to check all files, which makes misapplied extensions irrelevant.

As you can see, there are lots of signs that this "giraffe story" is entirely bogus.

→ If it were true, and a vulnerability were currently known that would let JPEGs inject malware onto your computer, then the crooks wouldn't bother going to all the trouble of poisoning Google image searches and hoping you would change your Facebook profile. They'd just put the booby-trapped files onto innocent-looking web pages and infect you during normal browsing, wouldn't they?

What to do?

Our advice:

  • If you're a news writer who covers computer security, check your facts before you endorse security warnings: false alarms just make us collectively less likely to react when there is a problem.
  • If you're a reader of security warnings, don't spread this hoax, even if you think it's amusing: false alarms just make us collectively less likely to react when there is a problem.

Image of giraffe warning sign courtesy of Shutterstock.

, ,

You might like

29 Responses to Please don't spread the Facebook "giraffe picture" hoax!

  1. Sizzle_Bizzle · 356 days ago

    Love this;

    "If you're a news writer who covers computer security, check your facts before you endorse security warnings: false alarms just make us collectively less likely to react when there is a problem."

    I saw quite a few "Security Experts" jumping on this "alert" when their only facts were from Facebook posts. Very funny and very embarrassing for many that seem to have mislaid (deleted) their articles and social networking posts since.

    Anyway, for those in the know, we all are aware that the vulnerability puts a disgruntled badger in your bank account that eats all your cash.

    Much love

  2. kkkk · 356 days ago

    a friend heard it on the radio (that it gives you a virus, that is)

  3. read this before you panic because you changed your profile picture to a giraffe

  4. ScottK · 356 days ago

    So, the answer to the riddle is "the door", right?

  5. John · 356 days ago

    Ignoring all the hype...the answer to the riddle = The door.

    Because I'm bored.

    • guest · 356 days ago

      I would guess eyes most poeple are sleeping at 3am.

      • Obvious Captain · 355 days ago

        You should have guessed browser because you had to open your browser to see the riddle.

  6. Evie · 356 days ago

    The answer is surely 'your eyes' :)

  7. freedie · 356 days ago

    you'd probably open your eyes first...

  8. Paulo · 356 days ago

    I first answered door but then i realized i wake up so the first thing i opened are my Eyes... Lol

  9. dan · 356 days ago

    The door is the wrong answer, it isnt that simple, reread the riddle again.

  10. The clue to the riddle is at the beginning. "and you wake up". I know many of us are night owls and can still be awake at 3am, but unless you sleep with your eyes open; the proper answer is "your eyes". :-)

    Yes I'm bored also, and my first thought was also "Door"

  11. Anonymous · 356 days ago

    First of all, anybody ringing my doorbell at 3 am better have an emergency. Etiquette calls a call before "dropping by". If it is my parents I am not opening the damned door. My family has a nasty habit of drinking all my breakfast wine while complaining that I have not found a nice girl and given them a grandson to carry on the family name.

    In short-DONT OPEN THE DAMNED DOOR (could be a virus out there).

  12. jephi · 356 days ago

    But you wake up and find it's your parents, then it asks what the first thing you open is. Your eyes are already open unless you wake up without opening your eyes, you are psychic to know it's your parents, or they are screaming bloody murder to let you in. I still say the door is the first thing you open at that point.

  13. Jones · 356 days ago

    The first thing I opened (at 3am) was my mouth to say "F OFF!"

    Apparently, this was not the correct answer!

  14. jimmy lines · 355 days ago

    the first thing you opened was your facebook profile.

  15. Jwalker · 355 days ago

    with my family, it would be the wine

  16. Erik · 355 days ago

    The door.

  17. Amir · 355 days ago

    I think its neither the eyes nor the door, its your mouth!

  18. CockneeeGeeza · 355 days ago

    I live in Brixton... if someone was hammering at my door, it would be my bowels that open first! ;0D

  19. 3caster · 355 days ago

    Should I forward this advice, that the giraffe circular is a hoax, to my entire address list?

  20. Cynical · 354 days ago

    This article addresses JPEG file vulnerabilities, but not how, until very recently, Google Images was the most dangerous place you could take your computer? When you could just click on an image in the results, with very little indication as to what website it's on, and it load that entire page in the background?

    The only virus I've encountered in the last decade was from a Java drive-by facilitated through a website that hosted a very large number of images that would be heavily searched for. This giraffe fad could be taken advantage of in that method, easily. Thankfully, Google has decided to improve their image search. I cannot describe how geeked out I was the day Google decided to implement an inline method to embiggen images in the results, along with a direct link to the file. No more loading entire, possibly shady, websites just to access the full-sized copy of the image. However, other search engines still fall short of this feature, and could be used against users.

  21. foo · 351 days ago

    People who spread this giraffe picture hoax are really sticking their neck out.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog