SoylentNews is people
SoylentNews
Some may have heard of scambaiting spammers to waste their time and resources. There are many sites like 419eater which concentrate on it. However, Arthur T Knackerbracket has found the following story which takes things a step further. A French security researcher says he managed to turn the tables on a cyber-scammer by sending him malware. Whether or not that is ethical is left as an exercise for the readership.
But Ivan Kwiatkowski played along with the scheme until he was asked to send credit card details. He instead sent an attachment containing ransomware.
[...] When Mr Kwiatkowski's parents stumbled across one such website, he decided to telephone the company and pretend he had been fooled.
The "assistant" on the telephone tried to bamboozle him with technical jargon and encouraged him to buy a "tech protection subscription" costing 300 euros (£260).
Mr Kwiatkowski told the assistant that he could not see his credit card details clearly and offered to send a photograph of the information.
But he instead sent a copy of Locky ransomware disguised as a compressed photograph, which the assistant said he had opened.
"He says nothing for a short while, and then... 'I tried opening your photo, nothing happens.' I do my best not to burst out laughing," Mr Kwiatkowski wrote in his blog.
[...] Mr Kwiatkowski said he could not be absolutely certain whether the ransomware had infected the scammer's computer, but there was a fair chance it had.
"He did not let on that something had happened to his computer, so my attempt is best represented as an unconfirmed kill," said Mr Kwiatkowski.
"But encrypting a whole file system does take some time."
He acknowledged that some people may have found his retaliation unethical, but said responses had been "mostly positive".
(Score: 5, Insightful) by DannyB on Tuesday August 16 2016, @04:39PM
Is it unethical to stop a scammer from scamming you and scamming others who understand the nature of the scam less than you do?
If you saw a bank robbery in progress and put a knife in the get away car's tires, flattening them, would that be unethical? But you damaged their property!
What if you tripped the robbers as they ran out of the bank? Is that unethical?
I could, and I'm sure others here could contrive many more examples.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 3, Funny) by Anonymous Coward on Tuesday August 16 2016, @05:01PM
You wouldn't download a scammer, would you?!
(Score: 1, Funny) by Anonymous Coward on Tuesday August 16 2016, @05:14PM
Sure, why not? You would then get the personal pleasure of dishing out whatever punishment you want.
(Score: 2) by iWantToKeepAnon on Tuesday August 16 2016, @06:44PM
"Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy
(Score: 3, Insightful) by Anonymous Coward on Tuesday August 16 2016, @05:34PM
> Is it unethical to stop a scammer from scamming you and scamming others
Except he didn't stop the scammer. He might have hurt the guy, but at most all he's done is inconvenience the guy for a little bit and teach the scammer to be slightly less gullible. For all we know the scammer was using his invalid mother's computer without her evening knowing about it and now she's been cut off from her only means of internet access. At best this is just vigilantism. At worst the "white hat" has crossed a line and hurt innocent people in the crossfire.
> I could, and I'm sure others here could contrive many more examples.
I think 'contrive' is the correct word.
(Score: 3, Touché) by Anonymous Coward on Tuesday August 16 2016, @06:21PM
That poor little hypothetical old lady. How will the hypothetical old lady ever get anything done now that her son fucked up the computer he was using to fuck up thousands of others?
(Score: 4, Interesting) by DannyB on Tuesday August 16 2016, @06:21PM
In my example, by flattening their tires, or tripping them as they run out the bank, you didn't *stop* the bank robbers either. You just inconvenienced them.
You bring up Vigilantism, which is interesting. Where would you draw the line? Is any sort of interference, inconvenience, or action against a criminal act in progress an act of vigilantism?
With these scammers, you don't have any realistic option of reporting them to law enforcement in any meaningful way that is actionable to them. So inconveniencing them, at least slowing down their ability to scam others, seems like not such a bad idea.
As for your contrived invalid mother's computer which the scammer is using -- the harm done to the mother is the scammer's fault. The scammer should have a reasonable expectation that someone might try to do something like this.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 1, Insightful) by Anonymous Coward on Tuesday August 16 2016, @09:06PM
> In my example, by flattening their tires, or tripping them as they run out the bank, you didn't *stop* the bank robbers either. You just inconvenienced them.
No you didn't. In those examples you made it easier for them to be caught by delaying them. That is a key point -- those hypothetical actions improved the chances of the criminals being brought to justice. They were not about retribution for the criminals.
> As for your contrived invalid mother's computer which the scammer is using -- the harm done to the mother is the scammer's fault.
No, it is the fault of the person who used sent the ransomware. Consider this: if he was not a scammer and someone sent him ransomware anyway, who's fault is it then? Obviously it is the fault of the person sending the ransomware. The fact that he was also a scammer does not the change that.
(Score: 0) by Anonymous Coward on Tuesday August 16 2016, @09:45PM
You just can't take the effect and make it the cause.
(Score: 4, Informative) by Anonymous Coward on Tuesday August 16 2016, @06:37PM
There is no 'mother'. The dude works in a sweat shop that does this for a living.
From the blog 'He calls his superior in the hopes of figuring out why the payment isn't going through. In the meantime, I hear other operators in the background repeating credit card numbers and CVVs aloud.'
(Score: 0) by Anonymous Coward on Tuesday August 16 2016, @09:21PM
> There is no 'mother'. The dude works in a sweat shop that does this for a living.
How do you know that the shop provided the computer? That it isn't a laptop he had to bring from home?
It is always *easy* to ascribe the most favorable conclusions to the limited number of facts we have. Kind of like how we know there have been no killing of innocent civilians by drone bombings because the military has declared that all teenage and adult males in the vicinity of a drone bombing are enemy combatants ergo no innocents killed. Easy and wrong.
(Score: 1, Interesting) by Anonymous Coward on Tuesday August 16 2016, @11:22PM
You also have *NO* idea there is a mother and he brought in his own hardware. Perhaps he brought his own phone in. Perhaps he built his own cubical? Perhaps the chair he was sitting on was brought from home too. Even *the* cheapest of Indian sweat shops provides computers. I know I have contracted out to many of them. They usually wipe them at the end of their contract.
Kind of like how we know there have been no killing of innocent civilians by drone bombings because the military
You also are conflating the fucking up a single computer with drone shootings? I'm sorry thats silly.
I find it very difficult to feel sorry for someone trying to fuck up some old mans computer and rob him of 300 euros. At worst he has to reinstall his computer. At best he learned a lesson and moved onto better work. Your weak attempt to derail the conversation is silly. How is what the dude did to him *any* worse than what the guy was doing to him? Do you somehow thing that poor Indian guy on the other end was just going to nicely fix his computer? No he was going to screw it up and rob that guy. It was little more than a computer mugging that went wrong for the mugger.
Again there is 'no mother'. That was made up to generate sympathy for a douche bag who steals for a living.
(Score: 1) by nitehawk214 on Tuesday August 16 2016, @08:40PM
Your heart bleeds for criminals that prey on innocents, truly. Won't someone think of the scammers?
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 0) by Anonymous Coward on Tuesday August 16 2016, @09:11PM
> Your heart bleeds for criminals that prey on innocents, truly.
This is not about the criminals. It is about us. If we embrace vigilantism then we've replaced the rule of law with the rule of man. And that makes us just as morally bankrupt as them.
(Score: 3, Insightful) by Nuke on Tuesday August 16 2016, @09:48PM
If we embrace vigilantism then we've replaced the rule of law with the rule of man
Trouble is, there is no effective rule of law in this area. The crooks are having a free run.
Historically, laws evolved from vigilantism. If there is no rule of law, people (the more powerful local individuals) impose their own law. Then some greater leader, Moses or Alfred the Great for example, says "This is a mess, we must put law on a proper footing with consistent powers of enforcement". You could say that the compter malware field is at the level that general crime was in the Dark Ages before Alfred the Great.
(Score: 0) by Anonymous Coward on Tuesday August 16 2016, @10:15PM
> Trouble is, there is no effective rule of law in this area. The crooks are having a free run.
That does not excuse vigilantism, regardless of the history of vigilantism.
There are laws on the books, they just are not being effectively enforced.
(Score: 5, Informative) by Anonymous Coward on Tuesday August 16 2016, @11:53PM
Hey everyone! I'm the owner of the blog mentioned in this article. I think this is a very interesting debate here. Here is my position on the matter:
First, there is a distinction between law and ethics. Being no lawyer, I'll only discuss the latter and dismiss "it was wrong because it might have been illegal" as slightly off-topic.
There is no question that vigilantism will always be controversial. I would argue that it's an imperfect response to an imperfect society. What moral right did I have to right this particular wrong myself? None, I have to concede this. But the scammers also put me in a catch-21 situation: I can decide not to act and let them keep doing what they do, or I can pick up the phone, make their lives harder and maybe prevent a couple of people from being taken advantage of. Either way, some moral rule gets broken.
So what's the right thing to do when there's no right thing to do? I think most people would reply "the least wrong".
It is my personal belief that in this case, where there was minimal risk of collateral damage, trying to stop the scammers was the best possible option. If I had had the opportunity to rm their machine, I would have, because that would have stopped them longer. Barring this, I did the best I could think of in the spur of the moment, because I care less about their welfare (I think most people agreed that they kind of deserved it) than I care about their victims'.
So this is my argument in favor of hacking back: the instant they enter my life, I have to make a decision which will end up being somewhat unethical, and walking away seems worse.
(Score: 2) by rob_on_earth on Wednesday August 17 2016, @08:25AM
I applaud you for this, really. But what if the scammer is on a library or campus network and your ransom ware now encrypts files other than the scammers?
There was a worm written that fixed one of the big SQL attack vectors, Code Red or Slammer that wound up fixing many many servers but also crippling a few by rebooting them unexpectedly.
My domain was part of a back-scatter email campaign and I had all sorts of nasty responses from individuals that thought I was spamming them. I hate to think what would have happened if they had script-kiddie hack-back scripts. (back-scatter is where you spoof the sender and use multiple email address from the same domain).
I hope knowledgeable people do continue to fight back, but the moment "anyone" can start hacking-back things are going to get painful.
(Score: 2) by AudioGuy on Wednesday August 17 2016, @11:03PM
I think this is an issue with TWO ethical components.
The first is the obvious one being discussed: Is it ok the break the law to stop a lawbreaker?
This seems like a slippery slope to me. We have now law enforcement agencies doing things like selling drugs to set up drug dealers, setting people up with terrorist plots so they can arrest them, selling arms to drug cartels, engaging in serious violations of privacy, etc.
I happen to think most of that is ethically wrong.
But there is a second component: What can you do when the crime is being perpetrated directly upon YOU. Is it ok for an individual to respond in kind to a direct threat?
Murder is a crime. But killing someone who is trying to kill you - not so much.
I believe the distinction is very important.
So in this case I would say, probably ok.
But if someone (other than law enforcement, within legal limits) decided to purposely SEEK this, with the primary purpose of setting up the people running this scam - probably wrong.
(Score: 2) by Marand on Wednesday August 17 2016, @12:34AM
Trouble is, there is no effective rule of law in this area. The crooks are having a free run.
Historically, laws evolved from vigilantism. If there is no rule of law, people (the more powerful local individuals) impose their own law.
Sounds a lot like how IRC networks were back in the 90s, too. You had the operators (admins) that were de facto lords of the land, but they usually didn't give a damn about what was going on unless it personally inconvenienced them, so the users were mostly left to fend for themselves. In this environment, "vigilantes" were often the only form of law you had, because you had to fight fire with fire to avoid being a perpetual victim. So you'd harden your system, learn not to fall for dumb shit, and sometimes fight back with the same tactics people used against you.
It's easy to talk about taking the high ground and being morally superior because the law is supposed to do the work for you, but sometimes the reality is nobody's going to look after you, especially at a global scale where it can be difficult (or even impossible) to get results even if the authorities want to help. Trying to do things the "right" way first is good, but if it keeps failing to make an impact, it's time to look for other solutions, because something isn't working and it's foolish to keep doing the same thing endlessly but expecting better results this time.
(Score: 4, Insightful) by sjames on Tuesday August 16 2016, @09:17PM
And in return, while the mother is busy whacking the scammer's ankles with her cane demanding that he fix it, he is not disabling the computers of a thousand other invalids and charging them $300/ea. for the "service" (if he's not just hoovering the accounts).
If the authorities don't like it, they should fill the vacuum themselves so people don't have to resort to self-help. They seem to have no trouble with international borders when it comes to copyright infringements.
(Score: 1, Insightful) by Anonymous Coward on Tuesday August 16 2016, @09:40PM
I think it more likely that if he's not using his own computer, he's using one that is p0wned. That poor person who if fucked because their computer has been compromised now is double-fucked because now it's encrypted.
(Score: 3, Insightful) by sjames on Tuesday August 16 2016, @10:00PM
Same things about police grabbing the machine apply. Add in that the loss of use of that machine may save the rightful owner a thorough hoovering of their bank account.
But what if the scammer is using {insert good person}'s hacked pacemaker? Let's not get silly here.
(Score: 0) by Anonymous Coward on Tuesday August 16 2016, @05:47PM
Not the best of analogies.
A getaway driver is unlikely to leave the car.
It is also unlikely that he will even switch off the car.
It wouldn't surprise me if he also has a pistol on his person.
That said, in the case of the tire flattener or the counterattacking ransomware guy, I can't imagine a jury that would vote to punish either nor a prosecutor who would even press the case.
.
I put this story in my personal queue just before I went to bed.
CoolHand beat me to it submitting it.
What a fun taste-of-his-own-medicine story it is.
-- OriginalOwner_ [soylentnews.org]
(Score: 3, Interesting) by DannyB on Tuesday August 16 2016, @06:30PM
Not the best of analogies to be sure. But the main point should be about the Unethical question.
If you could stop or slow down the bank robbers, and there was no doubt about the get away car, would it be unethical?
Or is it vigilantism to engage in any action whatsoever? (Even calling the police maybe? That would be interfering.)
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2, Insightful) by Anonymous Coward on Tuesday August 16 2016, @05:54PM
Is it unethical to stop a scammer from scamming you and scamming others who understand the nature of the scam less than you do?
If you saw a bank robbery in progress and put a knife in the get away car's tires, flattening them, would that be unethical? But you damaged their property!
What if you tripped the robbers as they ran out of the bank? Is that unethical?
I could, and I'm sure others here could contrive many more examples.
What if that tire you knifed was an innocent bystander's you picked because you made a mistake?
Or you have examples like a person so set on saving souls of innocent babies that he firebombs an abortion clinic? Or you have examples like a good meaning ecologist so worried about overfishing that they sink fishing boats.
What this person did is a classic example of vigilante action. I could talk more about the pros and cons of vigilantism, but I'm sure others here can look up both themselves and come to their own conclusions.
(Score: 2) by DannyB on Tuesday August 16 2016, @08:57PM
> What if that tire you knifed was an innocent bystander's
In another post I mentioned, it's not the best analogy, but focus on the Unethical question. What if there was no doubt about whose car and tires? Is it unethical?
> a good meaning ecologist so worried about overfishing that they sink fishing boats
That is a far more interesting question. It's not about the fish. It's about the much larger whole population affected by overfishing vs the selfish over fisher. A lot harder to ponder that one.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by sjames on Tuesday August 16 2016, @09:23PM
Except there was literally no chance that it was the 'right car' and there was no ambiguity about what he was doing being a crime.
If the dummy made the mistake of somehow getting caught, the police would certainly take the computer with no concern for the theoretical invalid mother and if they ever got around to returning it, it would likely be broken (perhaps physically).
(Score: 1, Insightful) by Anonymous Coward on Tuesday August 16 2016, @06:12PM
Ignore the other ACs. But what if you hurt the scammer's mother's computer. Now thats contrived.
The only thing to regret about getting ransomware on to a scammers computer is the fact that you cant do more damage. Getting remote control over it would be much more fun, then you could actively interfere while the scammer continues to attempt to scam others.