Many e-mail-based viruses forge the sender line in the e-mail's header so
that determining the sending computer's owner is difficult. The forged
sender line is usually taken from the victim's address book or Web pages
that he or she has browsed. Most computer users are not aware that
virus-generated e-mails have forged sender lines, so many of them reply,
asking why the "supposed" sender sent the e-mail, when in fact, the
"supposed" sender had nothing to do with the e-mail.
The social cost in this case would be that of reputation. If the recipient
of the virus-generated e-mail were to in fact know the person associated
with the virus-generated sender's e-mail address, the "supposed" sender
could be reprimanded if the recipient were the "supposed" sender's boss,
and the recipient did not know about virus-generated e-mails.
These realistic forms purporting to be from PayPal
are in fact used to capture highly sensitive information that can be used
to commit identity theft.
Viruses such as the W32/Mimail.j@MM ask for more than just credit card
numbers, but for full names, social security numbers, mothers' maiden
names, driver license numbers, and bank account numbers. These pieces of
data are usually considered highly confidential and are commonly used to
commit identity theft.