Bombarding Phishing Websites?

IP Address Questions and AnswersCategory: IP QuestionsBombarding Phishing Websites?
heepbigchief asked 3 years ago

I was wondering if there would be anything wrong with bombarding a phishing website with gibberish as a user name and password?

It's quite unlikely that they will complain and say, "Here is a list of the IP addresses that are fake logging into my fake bank website."

Just imagine if the address' of the phishing websites were updated in one location regularly by gleaning them from spam emails and if millions of people filled out the user name and password with gibberish.

Maybe even automate it. It would be even better if the phishing website had no length protocols on user names and passwords.

With millions of people doing this against the site their storage could be blown out really good and the phisher would have to pick through millions of entries just get one they could use. Maybe even take the site down for using up all its bandwidth or hitting data limits or web space limit.

With millions of people doing this it would set off the alarm bells with the phishing websites host or ISP that otherwise may not be aware that they are inadvertently hosting a phishing website.

With millions of people doing this it would be similar to a DDOS attack and the site would be less available to the general public who are at risk of being tricked.

There's all kinds of advantages to be had but would there be anything wrong with the practice.

On the lighter side I remember a blog entry from many years ago about where a guy knew that phishers see the user name a password side by side like a text file or in a list so between the the user name a password he liked to leave them messages about how they have been reported to the cops and that they are on the way over there and the like.

3 Answers
wimiadmin Staff answered 3 years ago

I like your idea.

However, that makes us no better than them....BUT, since they're not going away and most of the time their sites are taken down as soon as the company they're trying to mimic contacts the Registrar to lock their domain name up. However, in between going live and being taken down, they possibly are collecting real username/password combos.

First and foremost, education of internet users is of the utmost importance and explaining to them to look at the destination URL and not the anchor text of the link. Secondly, IE, FireFox, and other browsers are starting to prevent you from going to these domains or at least warning you about them.

Finally, there would need to be one central location where these sites are reported. As soon as the central agency verifies the report, they would start the script and continue to run it from various IP addresses until the site has been taken down. If that doesn't stop the phishers, it would certainly put a damper on their simplified scheme.

Something to ponder.

Dennie Masser answered 3 years ago

I believe it would make us just as bad as them. Wrong is wrong even if it is for good a reason.

Rob Vargas Staff answered 3 years ago

A crime is a crime, even for a good cause. It's not like we're saving lives here, and that's pretty much the only situation where an action that is otherwise a crime (hurting or killing someone) is OK. It varies from state to state in the USA and from country to country around the world, but submitting false information can be considered a form of fraud.

And what if you accidentally do this on a legitimate site?

Know the answer? Login or sign up for an account to answer this question.
Sign Up