Image

Enter Project Mayhem
Founded by a Reddit user/self-proclaimed "security developer" named YesItWasDataMined, Project Mayhem seeks "to prevent victims from being scammed by different types of scams." The service comes with a multi-tier system where "patrons" pay YesItWasDataMined to "work against a scammer." They do this by using VM farms, forwarding calls to law enforcement and activating time-wasting bots like those created by Jolly Roger Telephone Company. Project Mayhem's preferred anti-spam tool is the robo-call. It all begins when YesItWasDataMined returns an IRS scammer's call or dials the phone number included in a tech support scam. If they sense that a scam is afoot (such as a request for payment using iTunes gift cards), they unleash a script that auto-dials the scammers at a rate of 28 calls per second.Image

"Hello, it has been detected that you are a scammer. Because of this we are now flooding your phone line to prevent you from scamming additional people. This will not stop until you stop."In other videos, YesItWasDataMined advises that the scammers "…[p]lace down your headset, go home…. Or, continue to have your lines flooded to prevent you from scamming additional people." https://www.youtube.com/watch?v=EzedMdx6QG4&feature=youtu.be As reported by Motherboard, Project Mayhem's videos have attracted lots of attention. Users on Reddit have gone so far as to request the source code for YesItWasDataMined's phone flooding program. Fortunately, the security developer is aware of how some could abuse their script and has, therefore, not made the code available publicly as of this writing.
Some Closing Thoughts
YesItWasDataMined might have created Project Mayhem in the interest of protecting regular users. But its implementation isn't perfect. First, the service acts only as a temporary deterrent against scammers. Once Project Mayhem ceases its robo-call flood, the scammers can resume their activity using the same phone number as before or by registering a different number altogether. Second, Project Mayhem could get its creator into trouble. The service's robo-call flood constitutes a denial-of-service (DOS) attack, something which is illegal in the United States. As a result, developers can't and shouldn't openly advertise services like Project Mayhem; they could face hefty fines or prison time if they did. (This explains why we don't know YesItWasDataMined's true identity.) Such penalties make Project Mayhem and others like it inadvisable from a legal standpoint if not counter-productive to fighting against digital threats. As of this writing, YesItWasDataMined has not returned The State of Security's request for comment. With the shortcomings of Project Mayhem in mind, security researchers should focus on prevention. That effort begins with ongoing security training, as well as awareness campaigns like National Cyber Security Awareness Month.Image
