Don’t Poke the Buffalo

Ranchers know that there’s little that can stop a determined buffalo – barbed wire is at best a suggestion. That’s why taunting or poking one is just a bad idea (the guy in Yellowstone recently was extremely lucky). Malicious actors can be a bit like that too – that’s why I’ve written before that ‘hacking back’ is a bad idea for all but nation states, but what about as individuals?

Folks in the security and technology industry often get called by obvious (to us) scammers like Windows Tech Support or ‘Rachel from Card Services’, which are two that have plagued my phone with junk calls.  Clearly we’re not going to bite, but should you try to keep them on the phone as long as possible, with the intent that it prevents them from scamming other people?  Tempting…very tempting.

There’s two classes of bad folks out there – the creative, innovative, highly skilled adversary, and what used to be derisively called the ‘script kiddie’.  The latter may or may not have a highly skilled actor behind him pulling the strings, or might just be a run of the mill boiler room operation – mass market cybercrime.  The problem is that you don’t really know which one just called you.  And that’s why as tempting as it is to engage them and burn their time, I recommend against it.

For the vast majority of these scams you’re just another number in the machine.  So when you don’t bite, it’s not unexpected and they just move on.  But do you really want to move from anonymous in the herd to being singled out for attention? Is it worth the risk of angering someone who already has questionable morals, and now decides to target you for specific attacks? You turn a run of the mill attack into a battle of wills against a potentially highly skilled adversary.  That’s why I have tremendous respect for folks like Brian Krebs who do active investigations of malefactors.  He’s a full time professional, and spends a decent amount of his time going above and beyond to protect himself.  For example, he’s recently started decoupling his phone from his accounts, due to SMS spoofing attacks, and has had his home swatted. Do you really want to have to go to that level?  I’d rather not.

I have a lot of respect for our adversaries.  Sometimes that’s due to deep technical capability, and others it’s just because they can make life miserable.  Either way, engaging isn’t something you’re really going to win or make a difference doing. So next time a scammer calls, just hang up.  Don’t poke the buffalo.

, , , , ,

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.