Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security Privacy Your Rights Online

Vigilante Hackers use Old West Tactics for Justice 532

Posted by CowboyNeal
from the lord-loves-a-hangin' dept.
dismorphic writes "Angered by the growing number of Internet scams, online 'vigilantes' have started to take justice into their own hands by hacking into suspected fraud sites and defacing them. These hackers have targeted fake websites set up to resemble the sites of banks or financial institutions in recent weeks, and have inserted new pages or messages. Some say 'Warning - This was a Scam Site,' or 'This Bank Was Fraudulent and Is Now Removed.'" So maybe it's not a posse of horsemen, but it's still kinda cool that someone is taking care of those who would defraud the public.
This discussion has been archived. No new comments can be posted.

Vigilante Hackers use Old West Tactics for Justice

Comments Filter:
  • justice (Score:5, Interesting)

    by Artana Niveus Corvum (460604) on Thursday May 26, 2005 @09:58PM (#12651338) Homepage Journal
    I truly often wish that sort of justice were legal... When the law can't back itself up and the people can...
    • Jury nullification (Score:5, Interesting)

      by XanC (644172) on Thursday May 26, 2005 @10:01PM (#12651367)
      If it's common sense, regardless of the law, the people (in the form of a jury) can make it legal.
      • by dubdays (410710) on Thursday May 26, 2005 @10:06PM (#12651404)
        Unfortunately, it seems to take FOREVER for the law to make a difference in these cases, if anything is ever done at all. The simple fact is that it's difficult, at best, to try to track and arrest an international criminal. I'm generally not one for vigilantes, but when it takes 5 months to catch the bastard legally, I'm all for taking the sucker out of business by other means.
        • by crymeph0 (682581) on Thursday May 26, 2005 @10:32PM (#12651601)

          Agreed. From the end of TFA:

          We would rather see the industry itself find solutions.

          And while your industry is sitting around doing nothing about these fake sites set up in countries where the local police care more about rounding up dissidents than stopping fraud, people are losing their life savings. I'll take my chances with the vigilantes. Even if they make mistakes, at least they're doing something

          • by MetalliQaZ (539913) on Thursday May 26, 2005 @11:00PM (#12651777)
            The problem with vigilantes is this:

            What happens when they come after YOU, and you don't have due process to protect you?

            -d
          • by tomhudson (43916) < ... <nosduh.arabrab>> on Thursday May 26, 2005 @11:02PM (#12651785) Journal
            We would rather see the industry itself find solutions.
            "The industry" would rather use this as an opportunity to sell you "our latest anti-phishing software". Fuck that! That is NOT a solution. That's barely a bandaid.
          • by mollog (841386) on Thursday May 26, 2005 @11:15PM (#12651836)
            I see this as another example of the self-policing that goes on here on the internet. Slashdot is another example on several levels. For example, this forum provides a means for people to express their feelings about a variety of subjects. And this forum is not mob rule, we moderate each other, and we moderate the moderations. Inflammatory and extremist talk is not tolerated silently.

            On another level, Slashdot is the pulpit where the topic of freedom gets a lively and ongoing discussion. Freedom to use and create software, freedom to exchange ideas, data, tools, freedom of expression, etc., etc.

            The 'net is not quite the free-for-all that some believe. And this self-regulation, self-policing, self-examination that is already the norm, is proof of the responsibility and maturity of so many here who make the net what it is; a cool place now, and a thing of hope for the future. So the idea of people going out and disrupting bad behavior on the 'net is a virtual tradition. To me this is a very good sign.

            Let's continue working to keep the gummint's clumsy hands off the 'net. I know they made the net, but it has grown in size and importance because of public involvement.
            • by DerekLyons (302214) <(fairwater) (at) (gmail.com)> on Friday May 27, 2005 @02:34AM (#12652641) Homepage
              I see this as another example of the self-policing that goes on here on the internet. Slashdot is another example on several levels. For example, this forum provides a means for people to express their feelings about a variety of subjects. And this forum is not mob rule, we moderate each other, and we moderate the moderations. Inflammatory and extremist talk is not tolerated silently.
              Only so long as the inflammatory and extremist talk isn't something disliked by the Slashdot Hivemind... If it is, inflammatory and extremist talk is *encouraged* where it's not outright rewarded.
              • For instance, in the recent article about 911 and Vonage, virtually every post supporting Vonage and calling the victim 'stupid' was modded *up*, whereas virtually every one criticizing Vonage for it's misleading marketing material was modded *down*.
              • In a recent article about militarizing space, virtually every article criticizing the Administration and misreading the various treaties was modded *up*, while pointers to correct interpretations of the treary was modded *down*.
              • In virtually every article about the Shuttle, posts praising Soyuz are modded *up*, and posts pointing out that it's not as safe as propoganda would have you believe is modded *down*.
              The same can be seen in any article about MicroSoft, SCO, and a vast variety of other topics.

              Slashdot is indeed ruled by a mob - a mob extremely intolerant of dissident views and facts that fail to meet it's fore-ordained conclusions.

              On another level, Slashdot is the pulpit where the topic of freedom gets a lively and ongoing discussion. Freedom to use and create software, freedom to exchange ideas, data, tools, freedom of expression, etc., etc.
              Certainly - If you define 'freedom' as 'I can do whatever the hell the I want without any restrictions or respect for other peoples rights, except maybe the people I agree with'. The same Slashdot that gets annoyed about GPL violations is the same Slashdot who openly espouses theft of *other peoples* IP.

              And that's the ultimate tragedy of vigilante justice - it's almost always represents the views of the 'men on white horses', not those of society.

              The 'net is not quite the free-for-all that some believe. And this self-regulation, self-policing, self-examination that is already the norm, is proof of the responsibility and maturity of so many here who make the net what it is; a cool place now, and a thing of hope for the future.
              It's almost utterly unregulated and unpoliced - except for very small corners. And virtually all of those small corners are intolerant of anything 'not them'. They aren't about freedom - they are about bigotry and isolationism.
            • Yep, but like all things , there are alot of bent Coppers (as in corupt) .
              Mob rule follows the loudest idiot and it can be rather dangerous if unatended . Not that i disgree in principle with swift vigilante justice against phishers , its just it can get out of hand .

            • Yeah... (Score:5, Funny)

              by kikta (200092) * <jasonNO@SPAMkikta.net> on Friday May 27, 2005 @07:58AM (#12653988)
              Inflammatory and extremist talk is not tolerated silently.
              ...it is duly modded up. ;-)
      • by ScentCone (795499) on Thursday May 26, 2005 @10:33PM (#12651604)
        If it's common sense, regardless of the law, the people (in the form of a jury) can make it legal.

        Not really. For example, if a person doesn't have appropriate charges brought up against them (or there are no such statutes), then there will never be an option for a jury to exercise. The jury might elect not to convict on something, but they can't cause a conviction (on other counts) where there should be one. This is particularly true where the nature of an act (like some innovative new form of online fraud, for example) hasn't been really contemplated by the justice system before.
        • by anagama (611277)

          The jury might elect not to convict on something, but they can't cause a conviction (on other counts) where there should be one. This is particularly true where the nature of an act (like some innovative new form of online fraud, for example) hasn't been really contemplated by the justice system before.

          It sounds like you are saying that if a person comes up with a new fraud scheme, he can't be tried and convicted. I think fraud is a very flexible term. Basically, any transaction in which Fraudster

        • by Xoder (664531) <slashdot@xoder.f ... m ['tma' in gap]> on Friday May 27, 2005 @02:45AM (#12652707) Homepage
          The grandparent is referring to the US (and possibly elsewhere) rarely-used practice of Jury Nullifcation. The jury essentially says that, yes, the accused is guilty of the crime stated, but the activity should not be a crime, and so we will not convict. Judges and prosecutors hate that, and will often refuse a juror if he mentions knowledge of the statute.
      • by spongman (182339)
        they can't make it legal. they can, however, choose to ignore the law.
      • by darkonc (47285)
        Just as long as they don't take out the entire server. A lot of these sites are hosted on hijacked and otherwise innocent boxes. If it's a multi-hosted box, you could easily end up taking out a couple hundred unrelated websites.
        Even for a single-hosted box, the person running the box may not be aware of what it's doing.

        Those caveats having been stated, however, I think that it's a nice thing to see being done. I've sent emails to the sites being spoofed suggesting that they ask for this sort of change,

        • by norton_I (64015) <hobbes@utrek.dhs.org> on Friday May 27, 2005 @12:10AM (#12652118)
          This is, of course, the problem with vigilante justice, and the reason it is illegal. The 'outmoded' idea of due process that makes our legal system too slow do deal with phishing and other fraudlent sites are designed to make sure the only the guilty are punished, and that the punishment is comensurate with the crime. If I get my paypal 'change your password' scam-of-the-week email, go to the site it points to, hack in, and shut down their webserver, I have maybe stopped some crimes being committed. But I refuse to trust myself to do so without disrupting anyone elses business, leaving the server open for other spambots and the like, or in general causing a mess. In the world where the chances of the perpetrator being caught were high, by hacking in myself, I might even destroy evidence that could be used to legally prosecute them.
    • I agree (Score:5, Insightful)

      by Dancin_Santa (265275) <DancinSanta@gmail.com> on Thursday May 26, 2005 @10:03PM (#12651386) Journal
      We just don't see enough people hanging from trees for marrying outside their race.

      Oh, your concept of right and wrong is different from mine?
      • Re:I agree (Score:4, Funny)

        by kclittle (625128) on Thursday May 26, 2005 @10:20PM (#12651506)
        I have mod points, but I can't find the "Insightful Flamebait Troll" value in the list...
      • There is a big legal difference between a crime of violence and a crime against property.

        There is also a big practical difference between a crime against another criminal (who is unlikely to report or prosecute) and a crime against a non-crimial.
    • Re:justice (Score:2, Insightful)

      by EngMedic (604629)
      The problem is, it's not justice, it's retribution.
    • Re:justice (Score:4, Insightful)

      by lawpoop (604919) on Thursday May 26, 2005 @10:05PM (#12651398) Homepage Journal
      This is not justice. Who says that this site or that site is a fraudulent bank? How would you like it if a 'vigilante' defaced your site claiming you were a fraud?

      If you don't have a trial with evidence, all you are doing is creating cycles of revenge, with no resolution. With a justice system, wrongs can be righted, and then we are done with the matter.

      There is no justice system that is totally perfect, but resorting to vigilantism when justice isn't perfect would make the situation much much worse.

      • Re:justice (Score:5, Insightful)

        by Adrilla (830520) * on Thursday May 26, 2005 @10:17PM (#12651487) Homepage
        and meanwhile, while all of this time is passing waiting for arrests and trials, they fraudulent websites are robbing people who don't know any better. I don't fully endorse the defacing the sites but it's something and it works quicker than waiting for the justice system to catch up. It's not a resolution, but it is a deterent, not to mention if the justice righted the wrongs and we were already "done with the matter" the vigilantes wouldn't have fake sites to deface.
        • Re:justice (Score:4, Insightful)

          by shawn(at)fsu (447153) on Thursday May 26, 2005 @10:36PM (#12651641) Homepage
          Aren't we the same people that worry about the goverement taking away our right of do process with the Patriot act. I'm sure the goverment probably uses some of the same reasoning. "It would take month to get this court order to tap the phone line"

          That said I really don't care about these sites getting defaced, if they accidently deface a legitimite site well then I think they should be punished.
        • " It's not a resolution, but it is a deterent, not to mention if the justice righted the wrongs and we were already "done with the matter" the vigilantes wouldn't have fake sites to deface."

          A similar argument could be made for vigilantism. The problem is is that the line has to be drawn somewhere. What if defacing the sites isn't good enough? What if somebody thinks it's funny to put goatse or something on their site? What if they DoS attack the site with zombie computers? Etc.

          I can imagine you're s
          • Re:justice (Score:5, Insightful)

            by Adrilla (830520) * on Thursday May 26, 2005 @10:53PM (#12651742) Homepage
            Like I said I don't fully endorse what they're doing, and one of the reasons why is because it can spiral out of hand. But I can understand the intent and I can appreciate standing up for the average consumer who doesn't know that they are getting taken advantage of, there is some sort of neighborhood justice there. It's not good, but I don't think it's bad either, I'd say it falls in a favorable area of gray and as long as it stays there, I can live with that.
    • Re:justice (Score:3, Interesting)

      by liquidpele (663430)
      I've often thought of writing a script to flood bogus data into scam sites, so that at least they couldn't get any real data out of it after the script had started.... Anyone think that would work, or am I overlooking something?
      • I've often thought of writing a script to flood bogus data into scam sites, so that at least they couldn't get any real data out of it after the script had started.... Anyone think that would work, or am I overlooking something?

        Smart scammers will keep track of IP addresses via a script running on the server, and block you after a while. Of course, as we all know from some of the spam and scams out there, the bad guys are not always all that bright.

        I remember reading an article on Slashdot about this sp

        • *sigh*

          If they know how to hack a site they know how to go through an anonymous proxy.
        • I remember reading an article on Slashdot about this specifically about a year or so ago, but a search doesn't bring it up. Essentially, someone wrote a script to do just this.

          My memory is failing me be it sounds akin to ..... *thinking: brain wishing I'd had breakfast and a good night's sleep with a nun* ... here it is: Make Love, Not Spam [makelovenotspam.com].

          Click the little "click here" if you click the link I made above -- interesting factoids. I remember being all happy about this and saddened that it got sh

        • Re:justice (Score:4, Funny)

          by thinkliberty (593776) on Thursday May 26, 2005 @10:34PM (#12651623)
          Yeah but scammers are now useing new souper P-P-P-Powerbooks! [zug.com]

          There is no way you are going to bring down their site.
      • Re:justice (Score:5, Interesting)

        by JockAMundo (783105) on Thursday May 26, 2005 @11:09PM (#12651818)
        I've often thought of writing a script to flood bogus data into scam sites

        I do this all the time. It is easy with the Firefox Web Developer extension. I just turn the post into a get, remove the field limits, and fill the fields with hundreds of characters. I usually take some text from Project Gutenberg. Then I stuff the big GET into a wget command in a looping bash script and let it run for a few hours. These sites are usually just php mailers, and so I get the satisfaction of filling a scammers mail box.

        Probably useless, but it makes me feel better.

        (arg, slashdot says I'm a script!, that is it, I done coding for the day and I'm going for a beer)
    • Re:justice (Score:3, Insightful)

      Unfortunately, this specific *type* of working around the legal route to justice will only stengthen the tactics/creativity used by "bad guys"(c). It's introducing the darwin effect, and will only kill off the stupid for s short time.. until they learn they much up the anty. In time that will only make it harder to detect the scams. While its cool in the short run, it's only helping the bad guys evolve.

      kinda cool though.
      • Re:justice (Score:3, Informative)

        by v1 (525388)
        but to say it's a bad idea to fight injustice because the criminals will just get better, that's a blanket justification that could be applied to all crime. The result of widespread adoption of that mindset would be "anarchy".

        If you don't fight back, you are perceived as weak. Criminals prefer to prey on the weak. So by not fighting back, you are making yourself an attractive target, and will be exploited.

        Vigilante justice occurs when a group is doing something that the general public can openly agree
    • "I truly often wish that sort of justice were legal... When the law can't back itself up and the people can..."

      I might agree with you if I thought people generally had a good sense of proportion.
    • Re:justice (Score:5, Funny)

      by ear1grey (697747) on Thursday May 26, 2005 @10:27PM (#12651565) Homepage
      This was originally an ill-considered and underinformed comment disagreeing strongly with the attitude and social misalignement of the parent comment, however vigilantes have hacked it and altered it's purpose to throw the original comment's cunning and socially wry insight into sharp relief.
  • ahhh... (Score:5, Funny)

    by Anonymous Coward on Thursday May 26, 2005 @09:58PM (#12651340)
    that's why my citibank fansite was defaced!
  • gov. crackdown (Score:3, Insightful)

    by Awol411 (799294) on Thursday May 26, 2005 @09:59PM (#12651345)
    i love how gov. agencies will probably crack down on the hackers defacing the phishing sites, but do little to nothing about the phishing sites/people themselves its all about the quick solution, not trying to go towards the deeper problem
  • "The Geeks, the Pasty and the Unbathed"
  • ...but we had the same story, by a different news source a day or 2 ago.
  • by ravenspear (756059) on Thursday May 26, 2005 @10:02PM (#12651372)
    Dear Sir,

    My name is Dr. Samouismai from the royal family of Nigeria and I would like to offer you a proposal that you may find compelling.

    I have recently come into an inheritance of goatse pics and I feel that I can not hold all of it safely. I would propose that if you agree I will hold 26 million of these pics in trust for you to deposit at whatever place you wish to keep them.

    I would like to meet to arrange this as soon as possible. If this deal succeeds, I would also like to discuss the possibility of you acquiring my collection of 4.3 million woopie cushions.

    Sincerely,
    I forgot my real name but I usually go by Jack Ass
  • Most scam artists are smart enough to set up sites from free hosting companies, or use stolen credit cards to purchase paid hosting from legitimate hosting companies.

    Hacking into these legitimate companies doesn't do anything to hurt the scammers.
    • Depends (Score:3, Insightful)

      by Thu25245 (801369)
      Hacking into these legitimate companies doesn't do anything to hurt the scammers.

      If the vigilantes take down the scam site, then they may prevent some people from falling victim to it. It may not hurt the scammer, but it might protect the innocent.

      And, frankly, these "legitimate companies" should do more to prevent the use of their services for fraudulent purposes. Say, writing a script to search though the hosted material for the phrase "bank account" and flag any occurrences for human review.

      I can't s
    • Re:Hmmmm (Score:5, Insightful)

      by ergo98 (9391) on Thursday May 26, 2005 @10:22PM (#12651521) Homepage Journal
      Hacking into these legitimate companies doesn't do anything to hurt the scammers.

      ?

      You think that it doesn't hurt phishers when their "closer" is rendered inoperational? Maybe I'm wrong, but I'm going to bet that some phisher that used their botnet to send out millions of emails (losing a number of their bots in the process) is going to be pretty pissed when some whitehat knocks their server offline before all of the morons enter their username and password.
    • Sure it does ... if someone that was taken in by a phishing email goes to the scammer's site and sees "THIS SITE IS RUN BY CROOKS" all over it, he might think twice about typing in his bank account numbers and clicking SEND. This isn't so much about accountability or bringing these guys to justice, it seems more about just making it harder for them to operate. And that's fine so far as it goes, but cracking a scammer's site is still going to be a violation of some cyberterror law or other.
  • by neo (4625) on Thursday May 26, 2005 @10:02PM (#12651378)
    Larson added, "We would rather see the industry itself find solutions."

    So would we.
  • There has been a long history of hackers doing good on the internet. I think this is just another step in that story. Hackers have been misrepresented in the media for many years, and I for one am glad to see that for once they're getting some good press.
  • Retribution (Score:5, Insightful)

    by athakur999 (44340) on Thursday May 26, 2005 @10:10PM (#12651434) Journal
    I have a little PHP script that I use whenever I get a phishing email. The script generates fake credit card numbers, expiration dates, etc. and repeatedly hits the phishing site's form dumping in random info.

    Any halfway intelligent phisher would record the IP address of each submission and just dump all of mine when he saw there were bogus, but it makes me feel good that I at least wasted some of his time ;)

    • by Anonymous Coward
      Just think if Visa did this. Only instead of "fake", they use honeytokens: Cards which, once used, are immediately flagged. Black Helicopters swoop in and arrest the baddie. You know, like in that documentary "Enemy of the State".
      • Re:Retribution (Score:4, Interesting)

        by lukewarmfusion (726141) on Thursday May 26, 2005 @10:19PM (#12651496) Homepage Journal
        I wouldn't be surprised if law enforcement actually used this technique.

        Seriously, how hard is it to find a phishing site's servers and the owners? I forward links, emails w/headers, whois info (one guy had his real name, address, etc. in the whois for the domain!), etc. to the authorities any time I get the emails. If you can find the hosting company, server, etc. and track down the account owner, that might work.
        But if that information is false, giving them a valid account with a "honeytoken" like you describe would be a great way of continuing your search. It's more likely that the scammer has taken precautions on their hosting account than they will when they try to use the invalid account information.
      • by lheal (86013) <lheal1999&yahoo,com> on Thursday May 26, 2005 @10:49PM (#12651708) Journal
        >You know, like in that
        >documentary "Enemy of the State".

        Yeah, I wish Time had put documentaries in their Top 100 films list. That one surely would have been right there.

        Did you notice how the mainstream media just ignored that, treating it like just another movie?

        I added another layer of foil to the bomb shelter after I saw it.
    • Re:Retribution (Score:4, Interesting)

      by jarich (733129) on Thursday May 26, 2005 @10:17PM (#12651488) Homepage Journal
      I have a little PHP script that I use whenever I get a phishing email

      Come on... post the script!

      • Re:Retribution (Score:5, Informative)

        by athakur999 (44340) on Friday May 27, 2005 @12:19AM (#12652155) Journal
        There's not much to it. Here was the last one I used. In this case it was bank site asking for an ATM card number, PIN number, etc. Adapting it to other sites wouldn't be hard. The way I'm generating numbers would probably get rejected if you tried to use it for credit card numbers but this particular phishing script didn't seem to do any verification so I didn't bother...

        for ($i = 0; $i 100; $i++) {

        $ssn = sprintf("%03d%02d%04d", rand(100, 999), rand(0, 99), rand(0, 9999));
        $cardnumber = sprintf("%04d%04d%04d%04d", rand(0, 9999), rand(0, 9999), rand(0, 9999), rand(0, 9999));
        if (rand(0,1)) $cardnumber .= rand(0,9);

        $expmonth = sprintf("%02d", rand(1, 12));
        $expyear = rand(2005, 2011);
        $cardpin = sprintf("%04d", rand(0, 9999));

        for($len=10,$r1='';strlen($r1)$len;$r1.=chr(!mt_ ra nd(0,2)?
        mt_rand(48,57):(!mt_rand(0,1)?mt_rand(65 ,90):mt_ra nd
        (97,122))));

        for($len=10,$r2='';strlen($r2)$len;$r2.=chr(!mt_ ra nd(0,2)?
        mt_rand(48,57):(!mt_rand(0,1)?mt_rand(65 ,90):mt_ra nd
        (97,122))));

        $email = "{$r1}@{$r2}.com";

        echo "$ssn\n$cardnumber\n$expmonth\n$expyear\n$cardpin\ n$email\n";

        $ch = curl_init();
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS, "ssn={$ssn}&cardnumber={$cardnumber}&expmonth={$ex pmonth}&expyear={$expyear}&cardpin=
        {$cardpin}&em ail={$email}&statement=&btnContinue0. x=64&btnContinue0.y=9");
        curl_setopt($ch, CURLOPT_URL, 'http://www.ewwf.ro/KeyBank/enroll.php');
        curl_se topt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20040929 Firefox/0.10
        ');
        curl_setopt($ch, CURLOPT_REFERER, 'http://www.marumitu.com/KeyBank/enroll_auth.html' );
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_HEADER, 1);
        curl_setopt($ch, CURLOPT_TIMEOUT, 300);
        $result=curl_exec($ch);
        curl_close($ch);

        }
    • Re:Retribution (Score:5, Informative)

      by Raindance (680694) * <`johnsonmx' `at' `gmail.com'> on Friday May 27, 2005 @12:05AM (#12652095) Homepage Journal
      Hah. Good idea.

      I hope you're giving the phishing sites numerically valid credit card numbers- essentially there's a checksum hidden in a card number. Phishers can screen out completely randomly generated card numbers because their checksum doesn't match.

      Here's a link to the algorithm*
      http://www.beachnet.com/~hstiles/cardtype.html [beachnet.com]

      Enjoy.

      *No, reverse-engineering the algorithm won't generate a valid card, but it'll generate a "not obviously invalid" card.
    • Re:Retribution (Score:5, Informative)

      by serutan (259622) <snoopdoug AT geekazon DOT com> on Friday May 27, 2005 @01:02AM (#12652311) Homepage
      I have a little PHP script that I use whenever I get a phishing email...

      Post it on Planet Source Code [planet-source-code.com] -- thousands of people could be using it tomorrow.
    • Re:Retribution (Score:3, Interesting)

      by Masa (74401)
      One question:

      What if you generate and submit a valid, existing, card number by accident?
    • Re:Retribution (Score:3, Interesting)

      by SteelV (839704)
      Wouldn't it be ironic if one of your randomly generated entries actually turned out to be a real person, with all the correct information, and he got it stolen because of that? Highly, highly unlikely, but interesting to think about.
  • Be wary of... (Score:2, Informative)

    by xquark (649804)
    The links these so-called vigilantes place on those de-faced sites saying:

    "link to the bank's real web site" ;)

    he he he he he he :D

    Regards

    Arash Partow

    _______________________________________________ _ __
    Be one who knows what they don't know,
    Instead of being one who knows not what they don't know,
    Thinking they know everything about all things.
    http://www.partow.net/ [partow.net]
  • Hacker Man! (Score:5, Funny)

    by clayasaurus (758835) on Thursday May 26, 2005 @10:20PM (#12651503) Homepage
    Hacker-man, Hacker-man
    Does whatever a hacker can
    pwns fake websites, any size
    Catches phishers, just like flies
    Look out! There goes the Hacker-man!

    Is he strong? Listen, Bud!
    He's got caffinated blood.
    Can he type from a chair?
    Take a look over there.
    Hey there, there sits the Hacker-man!

    In the chill of night,
    At the scene of the crime
    Like a streak of light
    He arrives just in time

    Hacker-man, Hacker-man
    Friendly neighborhood Hacker-man
    Wealth and fame, he's ignored
    Action is his reward

    To him, life is a great big bang-up
    Wherever there's a scam-up
    You'll find the Hacker-man!
  • Reminds me of... (Score:2, Insightful)

    by hoka (880785)
    a userfriendly comic where Pitr is upset at being spammed. He discovers that the mail servers are Linux and are inseucre. The next clip is of a guy behind a computer frowning at "su: user does not exist." Theres a followup comic where all of the spammers Internet Traffic are routed to Mars. "But Mars doesn't have any... oh." All this really means is that eventually phishers and scammers will get smarter and run TrustedBSD, OpenBSD, SELinux, or some other hardened variant using mainly static pages and highl
    • Re:Reminds me of... (Score:3, Informative)

      by Dachannien (617929)
      All this really means is that eventually phishers and scammers will get smarter and run TrustedBSD, OpenBSD, SELinux, or some other hardened variant using mainly static pages and highly developed systems. It's really a never ending battle.

      According to a recent article [slashdot.org], many phishing websites are run on already insecure systems that are hacked by the phishers. This is a "good" idea from their perspective, as it makes them harder to trace. However, in such cases, the only element of choice given to the ph
  • it doesn't seem like defacing the site would send much of a message--aren't they generally hosted on compromised boxes, by someone who has hundreds of other compromised boxes?
    wouldn't it be a better idea to find the people behind them (it's not too hard...) and go from there?
  • Instead of defacing websites?

    If they are smart and talented enough to break into a webserver, they could use those skills to set up some sort of clearinghouse for phish sites to avoid that could be done as some sort of proxy + RBL for phish sites. Better yet, program a web proxy program that does something simple:

    Compare the href tags in downloaded webpages with the displayed links. If the 'root' domains don't match, imbed a warning in the HTML page before it is sent to the browser for the user to see.
  • Vigilante activism (Score:5, Interesting)

    by Anonymous Coward on Thursday May 26, 2005 @10:33PM (#12651608)
    Speaking of vigilante activism

    #!/usr/bin/perl
    # This is a perl script I wrote to piss off the phishers. What this
    # script does is generate fake credit card numbers that look like real
    # credit card numbers. This way, I can add bogus information to
    # phishing sites that looks legitimate
    # License: Public domain
    sub verify {
    my($cardnum) = @_;
    my($a,$b,@cc);
    for($a = 0;$a < 16; $a++) {
    $cc[$a] = substr($cardnum,$a,1); }
    for($a = 0; $a < 16; $a+= 2) {
    $b = $cc[$a] * 2;
    if($b > 9) {
    $b -= 9;
    }
    $cc[$a] = $b;
    }
    $b = 0;
    for($a = 0 ; $a < 16; $a++) {
    $b += 0 + $cc[$a];
    }
    return $b % 10 == 0;
    }
    for(;;) {
    $d = "54"; # Some phishing sites only accept cards where the
    # first numbers look like they come from a bank
    # This looks like a generic US MasterCard number
    # (MasterCard is actually 5[1-5], but I'm too
    # lazy to make the second digit a random number
    # from 1 to 5)
    for($c = 2 ; $c < 16; $c++) {
    $d = $d . int(rand(10));
    }
    #print $d . "\n";
    if(verify($d) == 1) {
    print $d . "\n";
    sleep(1);
    }
    }

    • by Anonymous Coward on Thursday May 26, 2005 @10:49PM (#12651712)
      Parent post is clearly a fake, it claims the code is Perl, but I could read and understand all of it.
      • #!/usr/bin/perl
        do {
        my ($cc, $sum) = '54' . (join '', (map { $_ = int rand 10 } (1..13))) . '0';
        foreach $digit (split //, $cc) { $sum += $digit; }
        foreach $digit (split /.(.)/, $cc) { $sum += $digit; }
        $cc =~ s/.$//;
        print $cc, 9 - ($sum % 10), "\n"
        } while (sleep 1);
  • Its all well and good until someone feels cheated by a real bank, and defrauds their site. Justice is best handled by an organized police force. To bad no such thing really exists on the internet.
  • by lheal (86013) <lheal1999&yahoo,com> on Thursday May 26, 2005 @10:40PM (#12651660) Journal

    I believe our Founding Fathers, well-versed in the technology of the day, said it best:

    A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Sploits, shall not be infringed.
  • by tyagiUK (625047) on Thursday May 26, 2005 @10:40PM (#12651664) Homepage
    Hack the phishing server, fire up a torrent tracker and post a link to some US chart music or movie downloads. ref: http://yro.slashdot.org/article.pl?sid=05/05/25/22 6228&tid=95&tid=17 [slashdot.org]

    That way, the FBI, RIAA, MPAA will all be round there in about 10 minutes flat.
  • So maybe it's not a posse of horsemen

    I take issue with this statement. Yes horses are not as popular as they once were, but that doesn't mean they are completely out of the picture. Why you automatically assume that everyone else subscribes to your horseless worldview, I have no idea.

  • by Le_Papet (829100)
    'Warning - This was a Scam Site...If you would like to aid us in our future attacks on scam sites please enter your credit card number and expiration date in the fields provided below.'
  • by Lally Singh (3427) on Thursday May 26, 2005 @10:55PM (#12651756) Journal
    Problems like these should be solved by technology. The time and energy of talented hackers is wasted on vigilanteism. The digital world has new rules and new capabilities.

    Sorry, I know good engineering work is harder, much less exciting, and much less satisfying than hacking the enemy directly, but why play whack-a-mole when you can make them obsolete? Ok, enough ranting. I hope y'all had fun.
  • "Old West Tactics" (Score:5, Informative)

    by Wyatt Earp (1029) on Thursday May 26, 2005 @11:19PM (#12651865)
    I'm a Middle East (1917-1995) Historian by day and an Old West Historian by night.

    This really isn't an "Old West" tactic, but a tactic used in the United States, UK and other nations with a tradition of Common Law or the inclusion of extensive non-statutory law reflecting a consensus of centuries of judgements by working jurists.

    As times changed laws became codified and the power of the People to enforce the law were erodded in the United States and other countries.

    A Judge had to own 500 acres of land without debt on the land and they had the power to cherry pick what they wanted in terms of the law for the circumstances. Law then was terrible complicated, looking at a History of American Law by Lawrence M. Friedman shows that it's terrible complex and not nearly codified enough to just throw out a list of laws and punishments. Since the law on the frontier was often a copy/paste affair and made up by the Judges and not codified, a Judge had the power to make up laws. Like Evesdroping in 1808 or Droping a Dead Body into a River in 1821. Federal Judges started to go wild with common law crimes after U.S. V. Hudson and Goodwin in 1812.

    This case allowed a Federal Judge or define a crime and issue a punishment for it. Codification would stop this by defining what was a crime, and stop a Judge from making up a crime.

    A Posse wasn't normally a group of people acting as vigilanties, but a Posse is a group deputized by a Law Enforcment agent (Town Marshal, Sheriff, Federal Agent, etc) for a fixed duration or event since communities didn't have large standing forces.

    Some examples from an essay I found on the web a while back while researching the law in the 1860s

    Citizen's Arrest

    Students of the law should note that both a statutory and common law basis for a certain degree of "vigilante behavior" is well founded. Indeed, in an era of lawlessness it is important that readers be advised as to their lawful right to protect their communities, loved ones and themselves by making lawful citizens' arrests.

    First, what is an arrest?

    We can thank Black's Law Dictionary for a good definition: "The apprehending or detaining of a person in order to be forthcoming to answer an alleged or suspected crime." See Ex parte Sherwood, (29 Tex. App. 334, 15 S.W. 812).

    Historically, in Anglo Saxon law in medieval England citizen's arrests were an important part of community law enforcement. Sheriffs encouraged and relied upon active participation by able bodied persons in the towns and villages of their jurisdiction. From this legacy originated the concept of the posse comitatus which is a part of the United States legal tradition as well as the English. In medieval England, the right of private persons to make arrests was virtually identical to the right of a sheriff and constable to do so.

    A strong argument can be made that the right to make a citizen's arrest is a constitutionally protected right under the Ninth Amendment as its impact includes the individual's natural right to self preservation and the defense of the others. Indeed, the laws of citizens arrest appear to be predicated upon the effectiveness of the Second Amendment. Simply put, without firepower, people are less likely going to be able to make a citizen's arrest. A random sampling of the various states as well as the District of Columbia indicates that a citizen's arrest is valid when a public offense was committed in the presence of the arresting private citizen or when the arresting private citizen has a reasonable belief that the suspect has committed a felony, whether or not in the presence of the arresting citizen.

    District of Columbia Law 23- 582(b) reads as follows:
    (b) A private person may arrest another -
    (1) who he has probable cause to believe is committing in his presence -
    (A) a felony, or
    (B) an offense enumerated in section 23-581 (a)(2); or
    (2) in aid of a law enforcement officer or special policeman, or other person authorized by law to make a
    • by videha (774526) *
      I think the term vigilante is not correct in this instance. From Encarta dictionary;

      law-enforcing citizen: somebody who punishes lawbreakers personally and illegally rather than relying on the legal authorities
      Microsoft® Encarta® Reference Library 2005. © 1993-2004 Microsoft Corporation. All rights reserved.

      This seems more like crime prevention. One would hope that the prevention of a crime, especially without causing harm, would be considered a duty.

      I would like to say "good work" to the
  • by pg110404 (836120) on Thursday May 26, 2005 @11:46PM (#12651993)
    Here I am, minding my own business, trying to protect people by setting up a very similar web site to their bank so I can "store" their credit card numbers for them, and some jackass goes and defaces my web site.

    I never felt so insulted in all my life. Well, then. If that's people's gratitude, I'll just stop that and if they lose their credit cards, they're on their own.

"Bureaucracy is the enemy of innovation." -- Mark Shepherd, former President and CEO of Texas Instruments

Working...