VSJ – November 2006 – Work in Progress

Robin Jones ponders his own back and how to get it.

A little while ago, the estimable ‘Backbytes’ column in Computing ran a series of pieces aimed at fighting – or at least revenging oneself upon – the junk fax brigade. As one who is occasionally woken at 3 a.m. by the telephone emitting a series of bleeps until it is transferred to the fax (and it’s no good simply slamming the phone down; the fax software assumes there’s a fault and sends it again), I was particularly interested.

As an aside, I’ve never understood the marketing value of the junk fax. I do not buy anything from people who use my consumables to advertise to me (especially in the middle of the night) and who ignore the fact that the number they are dialling is on the Fax Preference Service database. I can’t imagine there are many people who do.

Anyway, Backbytes reported some entertaining options, such as sending back a number of blank pages with the originator telephone number deleted, so that it looks like the receiving fax machine is malfunctioning. The hope is that the junk peddler calls a maintenance engineer and incurs an unnecessary call-out charge.

At about the same time (or, come to think of it, anytime really) various security gurus were quoted in the press as urging the Government to do more (i.e. pass further unenforceable legislation) to combat spam in general and phishing in particular. Now, as you’ve probably noticed, governments do pass laws but it usually takes them a while and whether the legislation addresses the original concern appears to be not far from random.

So it occurred to me that there might be strategies that Joe Public could apply to phishermen in the same vein as Backbytes’ fax revenge procedures. Once you start to think about individuals getting their own back, instead of governments protecting us, various fertile avenues open up. For example, you receive an email asking you to confirm password and account details from your ‘bank’. Most people respond, understandably, by deleting it. A tiny percentage provides the requested information via the spoof Web site to which they are directed, which is what the phisherman counts on. Suppose we all provided it or, more precisely, spurious data that looked reasonable? Now our phishing friend has a problem. He has hundreds of thousands of returns of which a handful might be kosher. He can’t automate the search because most of the data he’s netting is, by definition, not algorithmic in nature. The one exception to this is the bank account number, which probably has a mod 11 or 19 checksum. Now, of course, Joe Public doesn’t know about them. So, to make this work effectively, we need some enterprising developer to write a Phishing Response Generator, as a browser (and, to cover all the bases, email client) plug-in.

The attraction of this strategy is threefold. First, it involves absolutely no government action. Second, it helps protect people who don’t even know they need protecting by hiding their valid responses in a welter of garbage. Third, it gives users a warm feeling inside that they are helping to make phishing a less lucrative pastime than hitherto and so deterring further similar exploits.

Of course, cyber-criminals will simply turn their attentions to other scams. But that’s OK. Once we start thinking about using the entire online community to attack them rather than simply defending ourselves as individuals with firewalls, antiviral tools and so on, any given scam has a severely curtailed lifecycle. By ourselves we can’t do much. But there are a lot more of us, by which I mean honest cyber-citizens, than them. And just as they rely on the Internet’s ability to communicate with half the people on the planet, so can we. I think I just invented the concept of the White Knight Bot.

[Interesting project or development? Let us know at eo@iap.org.uk!]

Comments are closed.