New Kiddie Porn extortion spam in the wild: Hoax?

UPDATE (2/19/02 5:15 PM): Since I haven't received any confirmed reports of this attack, I'm assuming for now that I've been duped, and that it is a hoax. I'll keep my eyes on the story, and if any new details emerge, I'll post them here. My apologies for the alarmism. Original post (plus update) follows:

There's a new, nasty attack out there on the web, and this time it involves an innocuous email, an Olympics website, surreptitious downloads of kiddie porn, and blackmailers from Bulgaria who threaten to "expose" innocent victims - unless of course, the victim pays $50 and hands over their credit card numbers.

The story broke in CSO magazine this month:

Between sobs, she explained that, a week earlier, she had gotten an e-mail about the upcoming Summer Olympics in Greece. Since her nephew was hoping to be on the U.S. track team, my coworker was hoping to learn something that might help him. It took a while for a webpage to open up, but when it did, she read all about Greece and the Olympics.

Two days later, she got an e-mail from an unknown address asking for $50 or they would tell her management that she had been surfing pornography sites. They even said they could prove she had downloaded child pornography!

"They even told me which directory it was in on my computer," she cried. "And sure enough, when I looked there, I found the most disgusting pictures."
South Africa's ITWeb picked up on it, and ran a more in-depth article about the scam.  This is the first scam I've heard of that uses an innocuous email, possibly combined with browser flaws, to download illegal material to a victim's computer without their consent. This takes some decent technical skills on the blackmailer's part, browser or OS bugs, and uneducated users.  The problem is that we've got lots of those prerequisites out there.

This does not bode well.  This is like diesel oil and fertilizer to trust on the net.  It is frightening, because it doesn't require malicious intent on the part of the victim - all he does is click on a link in an email from someone he doesn't know, and BAM, he's snared.  Law enforcement needs to be trained on this so that innocent victims aren't treated like sexual predators.

Hopefully, education will help to stamp this out.  If you get an email extorting money, contact your ISP or corporate security team.  Send them a link to this article.  And whatever you do, don't pay the bastards or give them your credit card numbers.  You're only opening yourself up to a wide range of further identity theft.

UPDATE (2/19/02 12:00PM): I'm investigating whether or not this is real or is a hoax. There are some other articles coming out that cover the story, but as Dan Gillmor eloquently points out, the original story in CSO is written under a pseudonym, so until I hear from others in the security community, I'm going to back off on my original alarmism.

Even if we look at this from a theoretical attack point of view (which I sincerely hope it is), it is a technically feasable attack. And the thing that really scares me is that when someone does implement this attack, the fallout and reaction from the general public - which is clearly at most risk from this attack - will be terrible and fierce, and it will be a knee-jerk reaction to control and "regulate" the net.

Either way, it's lose-lose. :-(