InfoSec Blog - Retaliation

Kickboxer

October 28, 2019

Take this, you scammer!

It’s sooo tempting.  You get a scam or phishing message, and you want to get the scammer back in some way. So you write a snarky response, or you try to waste their time, or get some of their money. Or you’ve installed a personal firewall on your workstation, and you see attacks on your workstation from distant nations.  You muse about getting back at them.  Maybe you contemplate a denial of service(*) attack on them, or setting up a honey pot (*).  There’s a whole cottage industry dedicated to retaliation of scammers, (just search for “scamming the scammers” in your favourite search engine) including some scams on how to make money scamming scammers - smh!  Some people have gotten a few moments of internet fame by getting their story published. 

This of course is retaliation.  Someone has done something (admittedly) unfair to you, and your natural response is to do something back, even if it just to send a message that you were annoyed.  You don’t intend for your retaliation to escalate; you just want an outlet for your (understandable) frustration. In general retaliation, or its cousin, revenge, is not an advisable or effective strategy. It doesn’t make a conscientious person feel better in the long run, and it seldom changes the offenders’ behaviour.  In the information security realm, there are additional reasons to resist the temptation to strike back, to retaliate, to seek revenge. Here are just a few:

  • You are likely retaliating against someone who is a victim themselves, their machine hacked and used as a proxy. Or it is an unwitting person under pressure of extreme poverty who believes this to be a legitimate job.
  • Your target is likely no longer reachable by the time you retaliate. They are often very short-lived, rapidly move around, or employ a one-way setup.
  • Many forms of retaliation are against the law in your country and may be prosecuted more readily than in the country of origin of the attack.
  • Most scams are perpetrated by well-funded resourceful criminal organizations. If your retaliation attempt is successful enough to draw their attention, you may be the victim of extreme escalation on their part.  Some may even have nation-state sanction, and you may not want to tangle with those.
  • As we wrote back in 2017, (https://www.uoguelph.ca/ccs/infosec/whichsideareyouon) you are an important of the defense, and there are a number of important things you can do.

Your best course of action is to report the incident to Information Security. We can provide you with advice pertinent for your circumstance, identify patterns of security violations, and if needed work with law enforcement or Public Service Canada to follow up on egregious or extraordinary incidents.  We do feel your pain. On any given day, 98% of the mail which comes from the internet to the UofG to be delivered is discarded because it is a known spam/scam/phishing attempt.  In any month we see almost 10 Billion Network events, of which as many as 1.7 Billion are classified as undesirable events. 

 

Written by: Gerrit Bos, Information Security Officer

(*) A “Denial of Service” (DOS or DDOS) is a volume attack intended to incapacitate a service without hacking it. A “Honey Pot” is a pretend service designed to trap hackers or scammers.