In his latest weekly column, Robert Cringely outlines a plan to make phishing, the practice of stealing personal information by sending fake emails, much less profitable. He suggests that people who notice phishing emails should go to the websites linked in the messages and enter false information, thereby increasing the signal-to-noise ratio of the data gathered by the criminals behind the emails, who are known as phishers (and not, alas, phishermen). If the phishers have to sift through dozens of pieces of false login information in order to find valid data, Cringely thinks, they will give up scamming people in favor of getting a real job.
The idea is not particularly innovative (the organization Artists Against 419 uses a similar technique - the repeated loading of images - to attack 419 fraud websites) nor effective. While Cringely's idea would work, if widely implemented, it plays to phishing's strengths, instead of its weaknesses. The reason phishing is both highly dangerous and successful is because the email messages spoof official account notification emails. While discerning users can tell the difference, many unsuspecting people fill in their information into these websites. While Cringely's idea might make it harder to phishers to organize their data, the fact remains that some of the information they collected would be valid. Considering that spamming remains a problem despite considerable technological obstacles, the introduction of a few false records into a phisher's information store would not be enough to dissuade them.
Many of the recent phishing messages that I have received have directed me to websites hosted on servers that I am fairly certain have been compromised by malicious hackers. The most recent message I received, claiming to be an account suspension notice from eBay (sent to my FAS email account, which is not and has never been associated with an eBay account) redirected to a page hosted on the same server as this South Korean middle school. Since the people who would enter false information into the phishing website are technically adept enough to realize that the phishing message was a scam, it would not be too much of a stretch for them to forward the message (with full headers, of course) to the bank or organization that the phisher claims to represent (eBay, for example, allows you to forward suspicious messages to them through their Security Center). This method removes the phishing website (thus cutting off the phisher's source of information and income far more permanently than entering false information) from the Internet, forcing the phisher to either find new webspace or give up. This is by no means a perfect solution, because there is no simple answer that will stop the practice of phishing. Educating users to recognize fraudulent email messages will help, as will applications like the Netcraft Toolbar.
So would it be unethical to write a robot that took all of my daily phishing attempts as inputs and went and filled in data on their forms with random (though not obviously random) information? If each recipient filled out the form, that's some noise, but if a robot fills it out 10,000 times per day, that really ups the noise ratio. Of course they'll start filtering by IP address or range, but there are ways around that too.
It's really bad that I'm to the point of even considering DOS attacks and the like against spammers, phishers and other con artists.
I would not think it was unethical, but it would be difficult to automate "drowning" phishers while still retaining a high degree of effectiveness. If your robot is coming from the same IP address, it will be relatively easy for the phisher to ignore the 10,000 pieces of data that you have submitted. If you used proxies, it might work. If you do go this route, it would be cool if you released your code under the GPL or another permissive license, so that others could benefit.
I would discourage DoS attacks on spammers and phishers. Even if it was not illegal, in some cases it would be immoral. Spammers and phishers are increasingly using other people's websites and computers to commit their crimes. If I had DoSed the phishing website I described in my post, the South Korean middle school students would have suffered.
Then again, the phishing website is still live at this time, even though I contacted both the website administrator and eBay.