IRS scams and tech ratify scams are two of the most well-known fraud schemes preying on users today. In the erstwhile, bad actors cold-call unsuspecting individuals and tell them they’ll go to clink and/or lose their assets unless they call back and harmonize to pay back taxes owed to the Internal Revenue Service (IRS).The latter leverages a forgery security alert to trick users into calling “technical bankroll,” where a “representative” then tries to convince victims they have need of to purchase fake anti-virus software to clean their computers of malware.Both of the ploys depicted above have been around for quite some time. Impartial so, users continue to fall for them. A 2017 report published by the IRS push the boat outs that 10,000 victims have lost more than $54 million to IRS scammers since October 2013. Similarly, the FBI Internet Iniquitous Complaint Center (IC3) received 10,850 tech support scam kicks in 2016, amounting to losses in excess of $7.8 million.To help take under ones wing users against such scams, some individuals are taking worries into their own hands.Enter Project Mayhem.Founded by a Reddit narcotic addict/self-proclaimed “security developer” named YesItWasDataMined, Project Mayhem seeks “to ward victims from being scammed by different types of scams.” The amenities comes with a multi-tier system where “patrons” pay YesItWasDataMined to “expand against a scammer.”They do this by using VM farms, forwarding yells to law enforcement and activating time-wasting bots like those created by Jovial Roger Telephone Company.Project Mayhem’s preferred anti-spam gimmick is the robo-call. It all begins when YesItWasDataMined returns an IRS scammer’s call or dials the phone few included in a tech support scam. If they sense that a scam is afoot (such as a apply for for payment using iTunes gift cards), they unleash a arrange that auto-dials the scammers at a rate of 28 calls per second.
The good? To prevent the scammers from preying on any more users. You can see this continuity in action in the video below.
As Project Mayhem tells the scammers beyond and over again:
“Hello, it has been detected that you are a scammer. Because of this we are now pour overing your phone line to prevent you from scamming additional people. This desire not stop until you stop.”
In other videos, YesItWasDataMined advises that the scammers “…[p]fall on down your headset, go home…. Or, continue to have your lines flowed to prevent you from scamming additional people.”
As boomed by Motherboard, Project Mayhem’s videos have attracted lots of heed. Users on Reddit have gone so far as to request the source code for YesItWasDataMined’s phone flooding program. Fortunately, the conviction developer is aware of how some could abuse their script and has, hence, not made the code available publicly as of this writing.
Some Compact Thoughts
YesItWasDataMined might have created Project Mayhem in the property of protecting regular users. But its implementation isn’t perfect. First, the service laws only as a temporary deterrent against scammers. Once Project Commotion ceases its robo-call flood, the scammers can resume their activity detesting the same phone number as before or by registering a different number completely.
Second, Project Mayhem could get its creator into trouble. The utility’s robo-call flood constitutes a denial-of-service (DOS) attack, something which is interdicted in the United States. As a result, developers can’t and shouldn’t openly advertise overhauls like Project Mayhem; they could face hefty consummates or prison time if they did. (This explains why we don’t know YesItWasDataMined’s verifiable identity.)
Such penalties make Project Mayhem and others counterpart it inadvisable from a legal standpoint if not counter-productive to fighting against digital menaces.
As of this writing, YesItWasDataMined has not returned The State of Security‘s request for expose.
With the shortcomings of Project Mayhem in mind, security researchers should centre on prevention. That effort begins with ongoing security educating, as well as awareness campaigns like National Cyber Security Awareness Month.