It turns out that an interviewed with Chris Hansen of DateLine is not the worst thing that can happen to a Nigerian fraudster preying on victims on the other side of the world, with promises of getting a cut from non-existent fortunes hidden away in Swiss bank accounts. An article in the June issue of Atlantic Monthly looks at a group of volunteers who have taken art of fighting Internet scams to a new level.
Best exemplified by the site 419 Eater, these vigilantes turn the tables on scammers by playing the part of a gullible/greedy target, with the objective of causing maximum effort, wasted time or humiliation on the con artists. Some of the stories are familiar extensions of the To catch and ID thief TV series: the scammer travels a long distance to close the deal but the victim never shows up, or a payment promised never arrives after multiple creative excuses. Others border on the absurd: a photograph accompanying the article shows a Commodore 64 carved out of wood, by the enterprising scammer, tricked into believing that the victim is collecting items for his art gallery. In fact the self-styled “scambaiters” try to one-up each other with more outrageous exploits by getting scammers to send pictures holding up embarrassing signs, displayed in the Trophy Room. (Most comply, supporting the theory that when it comes to crime we catch the dumb ones. A few respond with amazingly awful and obviously fake digitally retouched pictures, which find a home in the Hall Of Shame on the same website.)
Revenge is good but in the collective frenzy over humiliating pwned spammers, the cyber-vigilante seem to have lost sight of the over-arching goal: reduce total damage from fraud. To the extent that the miscreants waste time and effort chasing scambaiters, there is some benefit because those resources are being tied up in unproductive ways instead of going after truly vulnerable victims. That distraction is expensive because it also requires that the good guys waste their time keeping up their side of the story– although turning it into a competitive public sport with a web site seems to have turned up no shortage of volunteers. The basic problem is that once a scammer operation is revealed, including an authentic picture of the perpetrators, he/she remains in business. Future victims remain just as vulnerable to wiring money overseas based on vague hints of a deposed African dictator’s hidden cash.
Parallel situation from phishing: flooding a phishing site with bogus submissions may temporarily reduce its effectiveness or pollute the database sufficiently to reduce the value of the ill-gotten gains. On the other hand, submitting legitimate credentials to a valid “honeypot” account and then carefully monitoring any activity on that account can protect other users. By design, any activity on the account is fraudulent and any IP address used for logging in is suspicious: all activity from that source can be screened to protect users whose data had been obtained in other unrelated scams.