How can it be illegal sending a few fake data to a website?
And anyway I doubt they will ever sue you, at most you could be targeted for some revenge attack if they are really pissed off and you don't hide your traces.
This is what I expect the relevant text in the CFAA is...
knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
Is it damage if you're just sending data to an endpoint to see what happens. Sounds like he didn't try to send a SQL Injection, he just sent more characters than what was expected.
When in doubt - yes. It's the same reasoning forbidding you from shooting criminals in the street, you'd just open up mob justice.
Of course, this is a pretty clear cut case and you might argue that this is an emergency (as people are clearly in danger of being scammed unless you act right now), but overall this is a very blurry line.
Depends: around here you can break into a shop at night to put out a fire or - more realistically - break a car window to pull out a kid (or animal) left alone in the sun.
I'd be careful with computer crimes on the Internet though.
> I'd be careful with computer crimes on the Internet though.
Exactly. Let us say you break into a shop owned by some mafia to put out a fire, then you might be fine w.r.t. authority, but you might be in trouble w.r.t. criminals. Similarly, say you break a car window to pull out a pit-bull left alone in the sun, you might have some issues with the owner if he turns out to be part of some drug trafficking gang.
There is no reason to believe that phishing websites are run by script-kiddies, there are obviously criminal rings running all sorts of businesses on the Internet too. I would rather leave the work to the authorities rather than risk going through trouble with unknown criminals, just so that I could have my funny revenge over them.
This can be classified as denial of service attack because of the rate your are sending the requests. Depends on the law (and on the interpretation as well). I doubt that the phising guys behind this will file a complaint though.
Many phishing pages reside on compromised domains. Bob's Plumbing Supplies might wonder why their Wordpress site loaded with plug-ins has stopped working, ask someone to take a look, and see your IP address all over the logs.
Or the webhost where Bob's Plumbing Supplies is hosted detects an attack and files a complain. Or the SAAS/server rental sees this, puts you on some automatic blacklist and puts in on the "to be investigated" blacklist. Too many parties involved whom you are "hurting" that might get back to you.
Not saying this to keep anyone from repeating this, though; just that when doing so, keep in mind that you're probably not just hurting a scammer alone.
To poison some phishing data you don't need to overload any server. Although the act itself of poisoning data could be seen as a DoS but since the service in question is an illegal one IANAL but I don't think it would stand in court.
It is very important to understand this from the legal stand point. If you overload a legitimate or illegitimate service you might commit a crime (depending on the country). I can give you a simple example of this in a different context. In our country you cannot go after the criminal who committed the crime and cannot cause them harm. Few years back a lady got robbed by two guys on a motorbike and she went after them and hit the motorbike with her car. She was prosecuted for assault. This is a very similar situation here. Again, depending on your country, state etc. this _might_ be a bad idea.
I see your point but anyway I think that phishers hardly will sue you for poisoning their data, because you probably just uncovered one phishing campaign but they run tens of them. Putting Justice in the loop would be much riskier for them, I believe.
