Project Mayhem: Combating IRS/Tech Support Scams with Dubious Means

IRS scams and tech support scams are two of the most well-known fraud schemes preying on users today. In the former, bad actors cold-call unsuspecting individuals and tell them they'll go to prison and/or lose their assets unless they call back and agree to pay back taxes owed to the Internal Revenue Service (IRS). The latter leverages a fake security alert to trick users into calling "technical support," where a "representative" then tries to convince victims they need to purchase fake anti-virus software to clean their computers of malware. Both of the ploys described above have been around for quite some time. Even so, users continue to fall for them. A 2017 report published by the IRS reveals that 10,000 victims have lost more than $54 million to IRS scammers since October 2013. Similarly, the FBI Internet Criminal Complaint Center (IC3) received 10,850 tech support scam complaints in 2016, amounting to losses in excess of $7.8 million. To help protect users against such scams, some individuals are taking matters into their own hands.

Enter Project Mayhem

Founded by a Reddit user/self-proclaimed "security developer" named YesItWasDataMined, Project Mayhem seeks "to prevent victims from being scammed by different types of scams." The service comes with a multi-tier system where "patrons" pay YesItWasDataMined to "work against a scammer." They do this by using VM farms, forwarding calls to law enforcement and activating time-wasting bots like those created by Jolly Roger Telephone Company. Project Mayhem's preferred anti-spam tool is the robo-call. It all begins when YesItWasDataMined returns an IRS scammer's call or dials the phone number included in a tech support scam. If they sense that a scam is afoot (such as a request for payment using iTunes gift cards), they unleash a script that auto-dials the scammers at a rate of 28 calls per second. The purpose? To prevent the scammers from preying on any more users. You can see this script in action in the video below. https://www.youtube.com/watch?v=EzedMdx6QG4&feature=youtu.be As Project Mayhem tells the scammers over and over again:

"Hello, it has been detected that you are a scammer. Because of this we are now flooding your phone line to prevent you from scamming additional people. This will not stop until you stop."

In other videos, YesItWasDataMined advises that the scammers "…[p]lace down your headset, go home…. Or, continue to have your lines flooded to prevent you from scamming additional people." https://www.youtube.com/watch?v=EzedMdx6QG4&feature=youtu.be As reported by Motherboard, Project Mayhem's videos have attracted lots of attention. Users on Reddit have gone so far as to request the source code for YesItWasDataMined's phone flooding program. Fortunately, the security developer is aware of how some could abuse their script and has, therefore, not made the code available publicly as of this writing.

Some Closing Thoughts

YesItWasDataMined might have created Project Mayhem in the interest of protecting regular users. But its implementation isn't perfect. First, the service acts only as a temporary deterrent against scammers. Once Project Mayhem ceases its robo-call flood, the scammers can resume their activity using the same phone number as before or by registering a different number altogether. Second, Project Mayhem could get its creator into trouble. The service's robo-call flood constitutes a denial-of-service (DOS) attack, something which is illegal in the United States. As a result, developers can't and shouldn't openly advertise services like Project Mayhem; they could face hefty fines or prison time if they did. (This explains why we don't know YesItWasDataMined's true identity.) Such penalties make Project Mayhem and others like it inadvisable from a legal standpoint if not counter-productive to fighting against digital threats. As of this writing, YesItWasDataMined has not returned The State of Security's request for comment. With the shortcomings of Project Mayhem in mind, security researchers should focus on prevention. That effort begins with ongoing security training, as well as awareness campaigns like National Cyber Security Awareness Month. For more information on how to detect, respond to, and report an IRS scam and a tech support scam, please visit these information sites here and here. Alternatively, you can read how Tripwire's Paul Norris toyed with a Microsoft scammer here.