Finders Keepers? Christopher Heaney
Shanghaied Sasha Issenberg
Bigger Is Better Paul Wachter
Jack of All Plants Daniel Kurtz-Phelan
The Vigilante in the Kitchen Josh Rosenblum
Cases & Controversies
The Prudent Jurist William H. Simon
Roma v. Romania Doug Merlino
Off the Res Ellen Thompson
The Vigilante in the Kitchen
An Indiana housewife takes down Nigerian con artists.
IN THE SUMMER OF 2004, Cecilia Fischer received an e-mail with a tempting offer. The sender claimed to be the lawyer for a millionaire who had died without heirs, and if she would stand in as the deceased's next of kin and help obtain the money, the lawyer would split the estate with her. She needed only to provide her bank account information to close the deal. Suspecting a scam, Fischer forwarded the e-mail to her relatives, including her niece, Susan Williams. The appeal led the 28-year-old Williams to join one of the world's most effective scam-fighting operations.
Had Fischer sent the requested information, the lawyer would likely have drained her bank account or asked for hundreds or thousands of dollars at a time to cover a string of supposed costs, like taxes on the estate or bribes for officials. The inheritance, odds are, would never have materialized. So-called 419 scams like the one foisted on Fischer gross hundreds of millions of dollars a year, and, since 1994, have led to more than 15 murders committed by criminals and by victims seeking revenge. In 2003, for example, a 72-year-old retired doctor, who lost more than $500,000 to con men posing as Nigerian businessmen, shot dead a Nigerian diplomat in Prague. The diplomat had nothing to do with the scam.
Williams's response was less bloody, but it may be no more legal. She joined Artists Against 419, an organization whose aim is to shut down, or "kill," fraudulent websites that help hucksters gain a mark's trust. The group of volunteers has notched more than 5,000 kills in about a year and a half of operation. Williams's count stands at over 50, which she has executed from her home in southwestern Indiana after putting her two toddlers to bed. For tough cases, she draws on powerful types of software known as vampires and marauders to terminate offending sites. The work, which Williams describes as a "pretty fun hobby," requires no special technical knowledge on her part; she just loads a web page onto her browser or clicks an icon on her desktop.
SINCE 2000, REPORTS OF ONLINE FRAUD to the Internet Crime Complaint Center, run by the FBI and a federally funded non-profit, have jumped by at least 50 percent a year, topping more than 200,000 in 2004. (The IC3 estimates that number represents only a tenth of the fraud committed, since many victims are ashamed to admit that they were duped.) Most complaints are smalla $200 purse purchased on eBay but never delivered, for exampleand close to 80 percent of the perpetrators reside in the United States. The kind of fraud that targeted Fischer stands out in the IC3's reports, however, because a typical victim of this particular scheme loses $3,000, and because it's the only kind of con that the IC3 names after the country hosting most of the perpetrators: Nigerian letter fraud.
The story lines varysometimes the sequestered funds come from fake lotteries, other times, from real-estate dealsbut Nigerian letter fraud is estimated to comprise the West African nation's third- largest industry after oil production and agriculture. It is named after section 419, which deals with fraud, in the Nigerian criminal code. The United States Secret Service has reportedly posted agents in the Nigerian capital to fight the scams, but with scant success. In the second half of 2005, there were at least three new variants, which played off the London subway bombings and Hurricane Katrina.
Like other shady Internet businesses, 419 frauds are cheap to run and hard to stop. Scammers erect websites quickly and anonymously and send out thousands of e-mails. The scammer, website, and marks are usually located in three different countries, which makes for a perfect, and often unprosecutable, crime. As Susan Brenner, a law professor and expert on cybercrime at the University of Dayton School of Law, put it, "The law can't do anything about this."
A group of activists known as scambaiters has stepped in where the law rarely treads. A baiter replies to a solicitation and then leads the con artist on with improbable reasons regarding why he's not quite ready to send money. One baiter won plaudits by claiming to be a member of the (made-up) Holy Church of the Order of the Red Breast and saying that he couldn't send money until the scammer converted to the church by painting his breast redand by sending along photos to prove it.
Williams prefers aa419's approach. The centerpiece of the group's efforts is a database of nearly 6,000 bank websites that it has identified as fronts for fraud. The group identifies sites at a rate of 5 to 10 per day, from its own searches and through submissions from victims and scambaiters. The 400-plus volunteers of aa419, who favor nicknames like "fake vampire" and "babe_in_muguland," use the database to identify the Internet Service Provider hosting a suspect website and then to send a complaint. Ninety percent of the time, the ISP investigates and voluntarily takes down the site. Many ISPs have even established direct links with aa419. Members also work with law enforcement to lock up scammers; according to aa419, about 50 have been arrested so far.
When an ISP doesn't cooperate, however, things get more interesting. ISPs pay to transmit information over the Internet, so to protect their profits on websites they host, they cap how many web pages, graphics, and audio files that a website can send out. Once that allotted "bandwidth" is consumed, the website, while technically online, will no longer be available to users. For the cheap websites favored by scammers, that limit may be 50 megabytes, less than a tenth of a CD-ROM's worth of data. Members of aa419 can rapidly exhaust that bandwidth, often in less than an hour.
To help its members complete their missions, aa419 offers a webpage called the Lad Vampire and a downloadable application called the Mugu Marauder. When a user loads the Vampire page onto his browser or runs the Marauder application on his PC, the tools suck bandwidth from a roster of targeted sites by repeatedly requesting images from them. The group says that in 2005 it drained more than 100 terabytes of data, the equivalent of retrieving the Library of Congress's entire print collection if it were digitized five times over. aa419 also organizes "flashmobs" several times a year. During a flashmob, as many aa419 volunteers as possible gather online, and they use those tools to target a few fake bank websites. The mobs have destroyed 130 fake banks since 2003.
Legal scholars like Brenner, while sympathetic to aa419's aims and supportive of their more peaceable efforts, find these aggressive techniques akin to attacks known as "denials of service," or DoS, which are illegal. Federal law prohibits anyone from sending a command to another computer with the intent of causing harm, and DoSes definitely aim to do damage. In an attack, the aggressor typically sends a garbled request that crashes the server or floods a website with so many requests that the server can't respond in a timely manner to legitimate users' requests. In 2000, a Canadian teenager known as Mafiaboy hacked into about 50 computers and then used them as "zombies" to launch a DoS attack that shut down the websites of eBay, Yahoo!, CNN, and Amazon.com; he was sentenced to eight months of detention.
Members of aa419 agree that DoS attacks should be prosecuted. When their own site was under attack last April, one of the group's founders, who goes by the name "Lord Vader," called in the South African police. But if DoS hackers should be prosecuted, what about Williams and her colleagues? She insisted that their methods differ because of what she termed a "technicality": They don't use "zombies" or aim to crash web servers, and they back off when downloading makes a site slow down too much. It's unclear whether this is a meaningful distinction.