OT - WAY - OT

Sat Mar 22 09:52:46 PDT 2008

Quoting Howard Wolowitz (Fri, 21 Mar 2008 17:51:58 -0400):
[...]
> You miss my point.
>
> I am not proposing flooding them with automated replies.  Just responding to
> their requests for my private information (while illegally pretending to be
> a company that they are not.)
>
> If enough people do it, they will be flooded with replies but only ones that
> they requested.  One per email they sent.
>
> I don't see any problem with responding to a criminal attempt to steal my
> information, money, credit or identity with an incorrect response.  I tend
> to make a lot of typos anyway.  What, are they going to sue me?
>
> Ken's point about them making a DoS attack on me is only not really
> worrisome since how would they know who to do it to if many people
> responded?  These people are not out for revenge, just theft.

If everyone who got one of these phishes were to respond with valid-looking,
yet phony data, they would have no way of knowing the good from the bad.

Last year, I had some spare time on my hands, and traced things through the
redirects and so on to the system which actually got the information sent
by the victim.  This was probably some person who thought they could get
rich scamming people out of their PayPal account info, as it was a rather
poorly written script, storing the data in a world-readable file on the
same website.  Examining that file showed that most people put obviously
fake information (ie: name = "die scamming scum", or full of expletives).
Had everyone who replied that way had instead filled out valid-looking
information, the scammers couldn't eliminate the obvious fakes.  This
particular site was so poorly done that they even had one of those web-
based file managers in place, without any password.  (I changed their
main page to one that said "this is a scam", with a link to wikipedia's
phishing page.  They changed it back the next day, and I changed it once
again.)

Note, however, that I said "most people" above.  I got to do my mitzvah
for that day by calling the one entry that looked like real information.
(Name, address, SSN, phone number, mother's maiden name, credit card info
including ccv, PayPal login and password, and so on.)  I called the phone
number in that entry, and left a voice mail on their machine explaining
that "I don't want anything except to give you some information", and
went on to explain what happened, and left my name and number.  I got a
call a couple of hours later from her husband/boyfriend, and I explained
what I had found, and read him some of the information that was in the
file.  He verified that it was correct.  I told him I was sorry that I
couldn't do anything about the information that was in the file, as I
could only read it, and that he should contact the police to report it,
as well as the credit card company and PayPal.  Hopefully, they were
able to do something before the scammers could.

(Actually, rereading the above, I realize that I combined information from
several of the sites I tracked down.  The web-based file manager was not
on the same system as the world-readable data file, and so I was not able
to erase the valid-looking data from the file.)

> Your point about spyware is really scary and I will update my spyware
> protection before I do anything.  That may be the main reason they want you
> to visit their sites in the first place.

As I said, I use SamSpade to examine such things.

     http://www.majorgeeks.com/Sam_Spade_d594.html

> And no, I don't have much free time but I'll be glad to spare a few moments
> a day (for the greater good) to screw up these criminals and eventually
> maybe make it too expensive for people to bother phishing.
>
> Maybe you can't cheat an honest man (not too easily anyway) but cheating a
> crook is a moral imperative.

-- 
KenBrody at BestWeb dot net        spamtrap: <g8ymh8uf001 at sneakemail.com>
http://www.hvcomputer.com
http://www.fileProPlus.com