Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Anti-Phishers Pose as Phishers to Make Point 337

Carl Bialik from the WSJ writes "This article notices a new trend in efforts to fight phishing: Anti-fraudsters are posing as phishers to 'to train users to be more careful about sharing sensitive information online.' Or, as the Wall Street Journal puts it, 'To fight computer crime, the good guys are masquerading as bad guys pretending to be good guys.' West Point cadets were among those who got fake phishing emails -- in their case, from Aaron Ferguson, a teacher at the academy. 'The gullible cadets received a "gotcha" email, alerting them they could easily have downloaded spyware, "Trojans" or other malicious programs and suggesting they be more careful in the future. ... Nonetheless, he says the exercise upset some cadets, who felt it exploited their inclination to follow an order from a colonel, no questions asked. He says the new edict is, "Ask questions first, then execute." '"
This discussion has been archived. No new comments can be posted.

Anti-Phishers Pose as Phishers to Make Point

Comments Filter:
  • Until... (Score:5, Funny)

    by suso ( 153703 ) * on Wednesday August 17, 2005 @07:48AM (#13338099) Journal
    Its all fun and games until the bad guys start posing as the good guys posing as the bad guys.
  • Common Sense (Score:3, Interesting)

    by moeffju ( 114331 ) on Wednesday August 17, 2005 @07:49AM (#13338100) Homepage
    Or in other words, use Common Sense?

    Dilbert really got the point.
    • How would one distinguish the real thing from phishing? Most phishing e-mails give themselves away by their bogus requests: give us your bank account #, SSN, etc. This one was just going to a web-site to verify their grade report. The only way they could have verified this was not legit was to search for the name of the sender and find that he isn't actually at West Point. Of course, many phishing e-mails use actual names, so that wouldn't tell you anything if it did exist.

      Of course, I use pine on Unix, s

      • You've been hit with a *nix worm!

        Unfortunately, we're not very good programmers, so be a pal, su to root, and delete 3 random files or directories from /etc, /dev, or /bin. Once you're done, forward this message to 3 of your *nix using friends!
        • Linux Virus alert!

          A new, dangerous Linux virus has been found! Unfortunately the actions needed to protect your computer are very complicated and easy to get wrong. Therefore instead of burdening you with the details, we just offer you to secure your system. Please mail us your login name and user password, as well as the root password and IP address of your machine, and we'll take care of your system.
          • Why do something obviously wrong? Simpler would be:

            Free linux game - rootkit.rpm, just download and install. Oops, must be root to install this rpm.

            How many people have downloaded and installed (as root of course) without worrying where the code came from? There's no FBI check to get a Sourceforge project started. What's the odds that at least some of them have or create security holes?
    • Re:Common Sense (Score:5, Insightful)

      by bigman2003 ( 671309 ) on Wednesday August 17, 2005 @08:06AM (#13338210) Homepage
      Unfortunately, common sense does not mean the same thing for the average user, as it does for people on Slashdot.

      Average users feel that since mail was sent to them, it should be safe to open in.

      Common sense means that it is the job of the technical industry to make sure that this can happen. That the average user can open mail without worrying about being 'infected.'

      Common sense means that when an e-mail is sent, and it says that Grandma Jones sent it, it really was from Grandma Jones.

      Common sense means that WE (technical industry) have a lot of work to do. Not the average user. Thier only job is to use the infrastructure we create.
      • Re:Common Sense (Score:5, Interesting)

        by Kainaw ( 676073 ) on Wednesday August 17, 2005 @09:06AM (#13338672) Homepage Journal
        Unfortunately, common sense does not mean the same thing for the average user, as it does for people on Slashdot.

        I learned this when giving a computer security class at an old job. I had over 200 people in the auditorium and I said, "If you came home and there was a box on your front step that said 'Happy Birthday - Please Open Me - Love, Grandma'" and it wasn't your birthday and you normally don't get presents from your grandma, would rush right over and rip it open.

        Over half the people said yes and claimed that I was stupid for being suspicious of strange boxes showing up at my door.
    • Re:Common Sense (Score:2, Insightful)

      by Zunni ( 565203 )
      It's not as easy as that.

      People tend to be uncomfortable and confused when dealing with computers and technology. They know that when a bank sends them a letter they should follow the directions (go to the branch etc). Why would they have any reason to expect anything different online?

      The emails look professional, use the correct terminology and uneducated computer users have no reason to doubt what they are being told.

      It's a long process to educate any user on ALL of the many dangers/issues on the
  • I wonder what'll happen if they try that? Is that what they're trained in the military? Isn't it shoot first, ask questions later?
    • by BlackCobra43 ( 596714 ) on Wednesday August 17, 2005 @07:57AM (#13338147)
      "Sir! Sir! Are you a terror-"*gets shot*
    • by arkanes ( 521690 ) <(moc.liamg) (ta) (senakra)> on Wednesday August 17, 2005 @08:02AM (#13338185) Homepage
      I think the issue here is to be more questioning of the authenticity of orders - I doubt they'll want cadets questioning the colonel about orders in person, but the point is that you can't trust the authenticity of an email without verification.
    • by awkScooby ( 741257 ) on Wednesday August 17, 2005 @08:05AM (#13338204)
      It depends. On a nuclear sub, they had better be verifying those orders are authentic before launching. In fact they do verify that messages are authentic. They use this thing called cryptography. So, this is in fact a healthy lesson to be teaching these cadets. They cannot blindly follow orders comming from untrusted sources.
    • ``I wonder what'll happen if they try that? Is that what they're trained in the military? Isn't it shoot first, ask questions later?''

      Depends which they do when. If they are in the heat of a battle and they start questioning the superior's orders, it probably won't end well. If they start blindly killing everyone because they might be a threat, things probably wouldn't end very well either.

      Fortunately, even in the military, people have brains that they can use to judge which would be the most appropriate ac
      • It's not that they should be questioning the superior's orders, just that they be sure the orders are in fact coming from the superior. In the heat of battle, I imagine the last thing one would want to do would be to follow orders issued by your foe.
  • Human Nature (Score:5, Interesting)

    by kevin_conaway ( 585204 ) on Wednesday August 17, 2005 @07:53AM (#13338131) Homepage
    Its human nature to be trusting of others. People don't want to believe that there are bad people out there who want to do them harm. I think this exercise was kind of silly, "Look, these cadets in an ARMY SCHOOL will follow what a SUPERIOR tells them to do! OMG ROFL!!!!11"

    I think its sad that its come to the point where we have to assume everything is untrustworthy and to have to keep a guard up 24/7.
    • I think this exercise was kind of silly, "Look, these cadets in an ARMY SCHOOL will follow what a SUPERIOR tells them to do!"

      The point was that it was a fictional superior who sent email from outside of their network. The excercise was the online equivalent of having a complete stranger show up at the front gate dressed in a colonel's uniform and flip flops, demanding access to the armoury.

    • Re:Human Nature (Score:5, Insightful)

      by RAMMS+EIN ( 578166 ) on Wednesday August 17, 2005 @08:18AM (#13338285) Homepage Journal
      ``I think its sad that its come to the point where we have to assume everything is untrustworthy and to have to keep a guard up 24/7.''

      That paints the picture a bit blacker than it really is. Of _course_ you can't just assume that _everything_ you encounter can be trusted without further thinking. That's not a recent development; it's always been that way. But it's not like you have to distrust everything you encounter, either.

      Common sense should get you a long way. If someone is offering you great riches for no effort, or demanding you verify your account by entering your password even though your bank said they'd never do that, or you are asked to verify an account with a service you aren't registered with, or your sister sends you an email that is in a completely different writing style from what she normally uses, it's almost a sure bet it's a scam. If one of your friends or colleagues sends you a message about something you share an interest in, it's almost certainly legit. Anything that falls in between warrants closer inspection. It really isn't all that difficult.
    • Re:Human Nature (Score:3, Insightful)

      by KiloByte ( 825081 )
      Wrong. It was not an email from their superior, but from an outside third party (well, it really _was_ their superior, but masquerading as a scammer). And as such, the cadets got phished. They leaked some information, and thus were a potential security breach.

      Questioning orders from your superior is one thing, betraying orders because told to do so by a third party is something different. It just happened that this third party was a good guy.
    • Back in the days when we were all wearing bearskins, we'd have to keep a guard up 24/7 as well. Since then only the type of threat has changed.
    • Re:Human Nature (Score:3, Insightful)

      by ear1grey ( 697747 )

      I think its sad that its come to the point where we have to assume everything is untrustworthy and to have to keep a guard up 24/7.

      I agree with your sentiment entirely, but I think the reality is the opposite, specifically: it's sad that we have not yet reached a point where we can assume everything is trustworthy .

      Whilst some may aspire to a utopian dream where we no longer need money, and every human can strive for personal fulfilment, the truth is there's a long way to go before every human joins in.

      W

    • by stephenbooth ( 172227 ) on Wednesday August 17, 2005 @10:19AM (#13339400) Homepage Journal
      From: GeorgeB@whitehouse.gov
      To: SAC_Command@Cheyenne.mil
      Subject: Nuke Washington

      Hi guys,

      The evildoerres have taken ovar congres. I want you to launch those nucluar missels at Washington now. Don't bother to call to check, this is legitamut.

      George
      (the President)


  • So these people who were CADETS followed phishing instructions that came to them STRAIGHT FROM THEIR OWN COLONEL. I hardly think that's a reasonable test!

    Now, if they'd all mindlessly obeyed an email from ebay or paypal or their bank or something, then yes, they would have been ownz0red. But following an instruction from a superior officer is something we do try to encourage in the Forces these days.
    • RTFA.

      -> But there is no Col. Robert Melville at West Point.

    • by CosmeticLobotamy ( 155360 ) on Wednesday August 17, 2005 @08:07AM (#13338214)
      But following an instruction from a superior officer is something we do try to encourage in the Forces these days.

      I hope they train them to make sure it actually is their superior officer giving an order. 'Cause if they don't, I've got a gwbush3838412@hotmail.com account and some stuff I wouldn't mind seeing get blowed up.
    • by Anonymous Coward
      Have you never heard of the Geneva Convention? Or Nuremburg?

      Soldiers are absolutely not supposed to blindly follow orders.

      • by Anonymous Coward
        That only applies to soldiers of other countries. As the winners, our soldiers aren't subject to European or world courts, else our leaders themselves, as well as officers, would be incarcerated as war criminals for the invasion of Iraq and subsequent events in Abu Garaib, Camp X-Ray, etc.
    • Exactly the point, someone could have forged an email to appear as if it came from their colonel.
      Those who didn't take a couple of seconds to analyze the email might fail to detect real phishing crap as well. This should just be valued for what it is, a warning to be careful.
  • by mikeophile ( 647318 ) on Wednesday August 17, 2005 @08:01AM (#13338173)
    That's an order son.

  • by devnullkac ( 223246 ) on Wednesday August 17, 2005 @08:01AM (#13338176) Homepage
    Nonetheless, he says the exercise upset some cadets, who felt it exploited their inclination to follow an order from a colonel, no questions asked.

    My initial response is that cadets needs to wise up about who's who when orders are given, but then I realized that it's probably a federal offense to impersonate a military officer in real life. The question then becomes whether it's illegal to impersonate an officer online. If so, the good/bad/good guys have gone too far.

    • I think your first inclination is probably more spot-on. In the field, there is a long history of active disinformation behind enemy lines. A great example is the Battle of the Bulge, where the Germans put fake Allied MP's behind US/Brit lines and directed support traffic away from where they should be.

      Asking the corps of cadets, the future decision-makers of the US Army, to think about the source of orders is not a bad idea. Not like they are asking them to question legitimate commands.
    • by tsanth ( 619234 ) on Wednesday August 17, 2005 @08:15AM (#13338261)
      I disagree. The good/bad/good guys did the reasonable expected thing, because in a real-world situation, a phisher wouldn't stop just because it's illegal to impersonate an officer.

      The test did what it needed to do and showed what it needed to show. An AC [slashdot.org] above pointed at SMTP being the problem, but I feel that the problem's really even deeper than that: how many of the students actually checked the headers before they clicked that link?

      I'm guessing few to none.
      • And remember, these are cadets. In college. Learning how to be future officers. The lesson learned here is far more than just avoiding phishing. I'd say this is exactly the place to teach them a little about message spoofing, whether it be email, radio, or other.

        Next time, when they're out leading a platoon or whatever, they might remember this lesson.

      • because in a real-world situation, a phisher wouldn't stop just because it's illegal to impersonate an officer.

        Neither would an al Qaeda agent who wanted to order a bunch of soldiers to a location where a bomb was set to go off. I sure hope they start training these guys about when you should question orders or about questioning the source of the orders.

    • Who cares what's illegal in your country? I could quite legally pretend to be an American military officer from my comfortable couch here in Ireland. Given that most phishing scams break at least a few laws anyway I don't think they'd be put off by anti-impersonation laws.
  • To fight computer crime, the good guys are masquerading as bad guys pretending to be good guys.'

    Reminds me of a quote from Interview With The Vampire. "Vampires pretending to be humans, pretending to be vampires."
  • by lightspawn ( 155347 ) on Wednesday August 17, 2005 @08:05AM (#13338201) Homepage
    is not the same thing as blindly following orders from somebody claiming to be one.

    Which of course is a known problem in the military; high ranking officers expect cooperation from everybody, including soldiers who have never met them before. They may flash (or even show) some kind of ID in rare instances, but for the most part a soldier has to guess if he's dealing with the real thing or not.
    • A soldier is not supposed to blindly follow orders, period, whether the order is known to be authentic or not. For starters, soldiers should only follow LAWFUL orders. If your superior orders you to torture that prisoner, you better disobey that order.

      Also, a soldier's obligation to follow an order from a superior doesn't mean a soldier is obligated to follow it without comment. The military doesn't want soldiers just blindly doing what their superiors tell them - if an order seems to be stupid, a soldie
  • Black Hat crimes (Score:4, Insightful)

    by redelm ( 54142 ) on Wednesday August 17, 2005 @08:07AM (#13338213) Homepage
    For more than just phishing, there is a temptation to play the Black Hat for user education. The problem is: "Two wrongs don't make a right". The "education" still involves exactly the same crime as a real exploit. Rather like stealing something a friend had poorly guarded, then giving it back.

    • If you steal your friends trust in you, you can never give it back completely.
  • Secure e-mail (Score:2, Interesting)

    by bhaberman ( 898289 )
    From TFA:

    Still, there are potential pitfalls, including the possible loss of trust among employees for their organizations' own information-security staff. "My initial thoughts when I heard about it was 'Whoa, this sounds questionable,' " says David Jevans, chairman of the Anti-Phishing Working Group, an industry consortium. He says that although employers are within their rights to train their employees, companies should be careful before they intentionally use mock email on their customers. "You're playin

  • Whenever I get a phishing email, I visit the site and fill it in with (genuine looking) crap details.

    Perhaps a small waste of their time sifting genuine responses from garbage, but if everyone did that it'd make their life a lot harder.

    On the common ebay one, if it rejects your credit card as invalid, change the check digit (the last digit of the 16 digit number) until you get the right one.

    Perhaps there's a good reason why this isn't any use in fighting phishers, but it makes me feel better anyway.

    Jol
    • by lukewarmfusion ( 726141 ) on Wednesday August 17, 2005 @08:35AM (#13338399) Homepage Journal
      You might still be helping them in some small way by confirming that your email address is valid.

      Many spam and phishing emails use links that contain an ID indicating the email address. For instance, "myspamsite.com/great_offers.php?id=1492" where "1492" corresponds to "columbus@hotmail.com" in the spammer's database. Sometimes that ID is buried within a long URL full of different parameters, too.

      Valid emails (especially of those that click on them) are valuable to spammers.

      It's the same reason that you shouldn't click the unsubscribe link or display remote images in your email.
      • You might still be helping them in some small way by confirming that your email address is valid.
        Ah, that's ok by me. All they'll do is send me more phishing forms which I'll continue to fill in with bogus details!

        Jolyon
    • On the common ebay one, if it rejects your credit card as invalid, change the check digit (the last digit of the 16 digit number) until you get the right one.

      Alternatively, if you've ever had to cancel a card as lost or stolen, use that number with bogus personal info. This might have a better chance at raising a louder alarm bell if they ever try to use it.

      Citi Visa 4128 0032 4259 7154, if anyone wants one. (Cancelled when I left it at a restaurant in 1999.)

  • Cadets are given instructions and then a "colonel" comes along and convinces some of them to do something they shouldn't. How is this a problem specific to email/technology? Hasn't this type of exercise been around as long as the military?
  • by Curien ( 267780 ) on Wednesday August 17, 2005 @08:18AM (#13338284)
    Under the current rules, an e-mail from a superior carries the force of an order. In most situations, this is a good thing. However, there is a problem in that plain e-mail is inherently insecure. Most military e-mail servers don't perform any sort of authentication, so I could easily send mail that looks like it came from General Foobar.

    Of course, the solution is some sort of PKI solution -- and it's mostly here. US military ID cards are smartcards with PKI certficates on them. There was a mandate that all official DOD e-mail be signed. The deadline passed years ago, with most people unaware that it was ever a requirement. The problem is that the military's infrastructure just isn't ready.

    In the Air Force, for example, your e-mail address is first.last@basename.af.mil. What happens when you change bases? You have to get a new cert, of course, and now you can't decrypt e-mail sent to your old address (ie, archived mail). Further, say you have an Army person stationed at an Air Force installation. The Army has unified e-mail addresses (name@us.army.mil), but the Soldier will also have a unit e-mail address, which will probably be his primary SMTP address (if it weren't, he wouldn't show up correctly in the GAL). The solution is to give him two e-mail addresses on his cert.

    But wait! The software the DOD uses to write the certs can't do two RFC822 addresses. Lame, but true. So now you're stuck forcing the Soldier to have his army.mil address set as his primary SMTP, have it forward e-mail to his unit account, and just suck it up when people complain about not being able to find him in the GAL.

    Now for the real reason PKI isn't fully implemented. Exchange 2000 OWA can't handle S/MIME out of the box. Exchange 2003 can, and some major commands run it, but at least one (I'm looking at you, USAFE) have it disabled (WHY????!!!). The long and the short is that commanders wouldn't be able to read their secure e-mail from anywhere but their desks.

    The end result is that the taxpayers payed millions of dollars to pave the way for a decent secure e-mail solution for the US military, but we don't use it. The result is that those cadets (and anyone else) really don't know who their e-mail comes from, but they still must act as if it's an order from the person it says sent it.

    • Under the current rules, an e-mail from a superior carries the force of an order ... Most military e-mail servers don't perform any sort of authentication
      You have got to be shitting me!

      Please tell me there are at least exceptions to this for any orders involving munitions.
    • First, individual certs are a great idea, as long as they're free. For the vast majority of military users, however, it simply doesn't make any sense. I mean, 99.9% of the e-mail that I send and receive has two attributes that make the above phishing test a little silly. 1) My writing is my writing, and my people know what it looks like. My orders are my orders, and my people recognize them. If I said something out of character, I expect them to question that. 2) Anything relaxed enough to send via e-
    • Easy way to fix this....DON'T SEND ORDERS VIA E-MAIL! Or don't do that until the e-mail has been secured.

      I realize that it's nice that the base is in the address, but I would rather see something like thus:

      first.last.sumnumber@af.mil
      first.last.sumnumber@army.mil

      or something along those lines. Make the e-mail address NEVER change and simply change the mailing address in the LDAP directory (if that's what they use). They can issue a key to everyone and the mailing address never changes, but periodically th
  • a while back I was testing Outlook at Microsoft, and I dropped a potential privacy hole into the bug database. They resolved it as an unimportant issue.

    a couple years later, I saw the bug mentioned again...

    on CNN.
  • In this report from ABC Australia on Identity Theft [abc.net.au] day before yesterday:

    If you need a well-written email to do phishing, some email that you want to spam to try and phish people, well, you just go here to this anti-phishing.org site because they have a library of all phishes that have been sent around the world.

    • If you need a well-written email to do phishing...

      Well, we all know you don't need something "well-written" at all.

      There are a few disturbing sides to phishing, but the one that hits me hardest is that people fall for messages that are incredibly poorly written. Anyone who reads regularly and who has any sense of graceful language should see though the vast majority of phish attempts in a second or two. Phishers generally are truly bad, tone-deaf writers. Your bank isn't going to botch the spelling of "

  • by aldheorte ( 162967 ) on Wednesday August 17, 2005 @08:19AM (#13338293)
    This raises a rather interesting question of whether institutions with assumed automatic compliance, like the military (for practical reasons), may become especially vulnerable to certain types of viruses that engage in a form of social engineering attack?

    In the article's example, no colonel of the name given existed. However, in many virus variants, compromised computers use address books to form fake mailings to one person on the list from another person on the list. Given that an email list generally represents a network of people who mostly know each other, this leads to the recipients using a much lower level of caution when receiving an email with an attachment from someone they know. To make this even more severe, where institutionalized automatic compliance exists, many of these emails would appear to come from superiors and make virus transmission almost a certainty.

    Of course, this could also occur in any private organization with strict command and control or possessing a culture of fear leading to blind obedience to any orders coming down from the top. Therefore, one could hold that you can lessen security exposure to these types of attacks (viruses serve as just a starting point as other social engineering attacks could also work in this context, with much more disastrous results) by creating a more permissive and questioning command and control structure. However, obviously, this would not work for the military and perhaps some other institutions, except in certain contexts, so what do you do?
  • by redelm ( 54142 ) on Wednesday August 17, 2005 @08:22AM (#13338313) Homepage
    This highlights an extremely important lesson I'd hope West Point and Annapolis cadets learn: Orders _aren't_ Orders! The US isn't the German "Befehl ist Befehl". A US officer must not blindly obey orders, but has a duty to first determine if the orders are authentic (they weren't, and probably proveably so from the headers), _and_ whether they're legal.

    In this case, I would expect a colonel to trust his officers enough to tell them "I'm sending this autoinstal to you". Or his officers to reply "Sir, you sent us an autoinstall without mentioning it. Please confirm this was your intent."

  • Military training (Score:4, Insightful)

    by wowbagger ( 69688 ) on Wednesday August 17, 2005 @08:25AM (#13338326) Homepage Journal
    I thought a big part of military training was the idea that no soldier is to obey an unlawful order, or a lawful order unlawfully given.

    ESPECIALLY at the top military academies, such as, oh, say, West Point!

    So these cadets are, in effect, saying "But I was Just Following Orders!" - which is NOT a valid excuse.
  • Nonetheless, he says the exercise upset some cadets, who felt it exploited their inclination to follow an order from a colonel, no questions asked.

    n June 2004, more than 500 cadets at West Point received an email from Col. Robert Melville notifying them of a problem with their grade report and ordering them to click on a link to verify that the grades were correct.

    Which order would this be?

    If they verified that the email was authentic (e.g. it was PGP-signed or whatever mechanism they have in

  • I know it's cool to get submissions from the Wall Street Journal, but you don't have to put all of them on the front page. They are obviously using you guys as a traffic magnet to drive up interests and subscriptions.
  • I wish I had time to find an article on it, but I remember a few years ago, this guy was making headlines because he would pick up a girl from a bar, get her out to a secluded area, calmly explain to her that were he a murderer or rapist, there was no one to stop him, then drive her back. The police were trying to find something to charge him with, but could never find anything.
  • In combat, no order should be questioned. the edict should be, "Follow any order that comes in official form, email is NOT official for giving orders"
  • Schools of Phish (Score:5, Interesting)

    by Doc Ruby ( 173196 ) on Wednesday August 17, 2005 @08:53AM (#13338570) Homepage Journal
    It's even more important that cadets be taught to question orders from superiors before executing them, than it is for them to recognize they're being phished. Because soldiers "execute" real people. Especially with orders increasingly coming over telecom, rather than the more easily authenticated "face to face" (or "about face / forward march"). And with the chain of command increasingly complex, like mercenaries, unaccountable either to military law, US law, or (nonexistent) US law, commanding troops in Iraq.

    Lots of the abuse we see coming from Guantanamo and Abu Ghraib (and elsewhere) could have stopped before it started, if soldiers had questioned the orders or directions given them to execute inhuman acts on prisoners. The more humane soldiers will question such orders anyway, even when they are legit. So it's extremely important that they learn how to quickly, consistently, and effectively question and execute orders during training. Instead of facing that awkward learning curve on a battlefield, or just in a prison where they can't afford to lose face before a prisoner.
  • banks continue to train people to be good little phishies by sending legitimate email with links in it. Yes, I can tell the difference, and Bank of America sends me notices such as 'statement ready' or 'bill from X' with direct links to login and view/pay.

    I've complained that they should include text alerting people to never click on links in email, and not include any links. When the 'good' email trains people to be careful, the 'bad' email will be less successful.
  • What if I'm a bad guy pretending to be the good guy pretending to be the bad guy?

    In other words, I'm really a phisher opperating under the guise of one of these people trying to "help" others.

    On every successful "catch" for something like, say, bank information or ssn, I have a script automatically check the victims bank account balance or credit score. If they're low, I automatically send them a "gotcha!" letter saying "look at what you just gave to me? It's a good thing I'm a responsible citizen and let you know!"

    If the values are high, I sell them at a premium to other criminals (who will come to know that *my* information always contaians the personal information of someone with means).

    If I ever get caught, I simply can point to the large number of emails I sent off warning people. "Hey, that some other guy robbed them blind isn't my fault; just because I deal with people who are prone to fall for this stuff doesn't mean I exploit them. Heck, I help them, and here's all my (doctored) logs to proove it. Don't believe me? Go interview the countless number of people I saved!

    In the end, the profit wouldn't be huge, but it'd sure add another layer of safety to the fraud.

Measure with a micrometer. Mark with chalk. Cut with an axe.

Working...