Artists Against 419

Artists Against 419 (commonly abbreviated to AA419) is an Internet consumer protection group dedicated to identifying and shutting down 419 scam websites. Its volunteers seek to stop, disrupt or hinder fraudsters' activities by cataloging and reporting fraudulent domains.

History
The Artists Against 419 site was set up in October 2003 and began tackling fraudulent websites in an artistic way: by hotlinking their images to drain their small bandwidth allowance over their monthly limit. Over time the fraudulent sites have evolved and so have the Artists. On November 30, 2003, the Artists Against 419 hosted its first international flash-mobsee below. There were many subsequent mobbings designed to make internet hosting service providers aware that the Artists Against 419 would not tolerate hosters knowingly hosting websites that AA419 had evidence to show were criminal.

At the same time, they started to list the allegedly fraudulent sites that members had found in a database. With these database entries, if a potential scam victim were to search a website they had been sent by a possible fraudster, the victim might see the database entry on an anti-fraud site and be inclined to cease contact with the scammer. This list now contains nearly 100,000 websites (as of August 31, 2014), and is one of the world's largest databases of fraudulent websites.

Sophisticated tools and techniques are used to search for fake sites and domains. When there is sufficient evidence to prove that a particular domain is fraudulent, it is entered into the database by a select experienced member after careful review. AA419's members then compose abuse reports to the domain registrar and/or hosting service provider with the evidence and ask for them to review/suspend the fraudulent site. Frequently, fake sites are closed within days or even hours of being set up. The UK Metropolitan Police force has previously worked with AA419. AA419 also escalates any websites found linked to South Africa to the South African Police Service (SAPS) and such websites will only be reported after giving those authorities the chance to investigate.

AA419 maintains constant relations with numerous internet registrars and hosting companies, who themselves have no wish to host criminal activity and cooperate willingly by suspending the fraudulent sites once the evidence is presented. However, certain companies fail to respond to AA419's abuse reports. In such circumstances (in the past) they arranged virtual sit-ins.

Flash-mobbing
AA419 described its past actions as flash-mobbing, but in actuality, this activity is called a virtual sit-in. Virtual sit-ins entail large numbers of individuals intently visiting a target site and downloading pages or requesting large numbers of information, with the intent that their requests will cause a rapid drain of bandwidth, and if there is a bandwidth quota it goes offline. For example, if 100 people continuously download a 10 kilobyte image simultaneously for 12 hours, this uses 40 gigabytes of allocated bandwidth. Assuming that the fraudulent site has 40 GB of allocated bandwidth per month, it will automatically shut down after 12 hours, when the bandwidth threshold is exceeded. The fraudulent website will then remain off-line until the following month, when the bandwidth quota is reset. Virtual sit-ins were achieved using freeware tools such as Muguito or the Lad Vampire. A computer flash-mob is a similar case where the sites' sudden popularity brings an unexpected large numbers of visitors which the server is unable to handle. The difference is that, in a virtual sit-in, there is no actual audience and the action is designed to be disruptive.

In some cases, particularly when a small web-hosting company is involved, the volume of traffic can be so large that access is slowed to all sites on the server. This would hold the hoster at ransom until the scam site was suspended; the hosting service would resume operating normally afterwards. It is important to note that no site was ever "mobbed" until at least two letters had been sent to the hosting company notifying them of the abuse, informing them that they were hosting a fraudulent site, detailing evidence of such fraudulent activities and requesting that the site be shut down for violating the hosting provider's terms of service.

The Artists always preferred that hosting companies take responsibility for the actions of their clients as well as the content of their web sites. A virtual sit-in is a tool of last resort, and was used only after other attempts to shut down the fraudsters' website had failed. Fortunately, the vast majority of web-hosting companies find the activities of internet fraudsters highly objectionable and swiftly intervene to stop them.

Controversy
What AA419 describes as flash-mobbing, is considered by others to be an illegal electronic offensive called a Distributed Denial-of-service attack (DDoS). By their own admission they affect "all sites on the server", and they have attacked systems without checking if bandwidth limits are in place.

Legal scholars like Susan Brenner, a law professor and expert on cybercrime at the University of Dayton School of Law, while sympathetic to aa419's aims and supportive of their more peaceable efforts, find these aggressive techniques akin to DoS attacks, which are illegal. Many jurisdictions prohibit anyone from sending a command to another computer with the intent of causing harm, and DoSes definitely aim to do damage.

Change in direction
The following is from the AA419 web site, discussing the discontinuation of Lad Vampire and other software from their site:


 * As of September 14th 2007 the Artists Against 419 discontinued the use of Bandwidth Hogging tools


 * As regular viewers will have noticed, the Artists discontinued the use of the Deadly Duo, Mugito and Lad Vampire on September 14, 2007.


 * As a community we have grown more sophisticated and effective in the art of shutting down fake web sites with words alone. Our database is the largest of its kind, and our expertise at identifying, cataloging, and terminating fraud sites is unmatched. We have shut down over 95% of the fakes in our database by letter-writing and establishing good relationships with hosts and domain registrars, and so we believe that it's time to move on.


 * We have listened to feedback from all sections of the internet, and realize that there is less need for these tools. With so many reputable hosting companies supporting the work of AA419, we no longer need the pressure tactics that worked in our infancy.


 * This is not to say that AA419 has lost its teeth. We remain committed to locating, and closing fakes web sites of all descriptions. We will continue to make known the names of web hosts and registrars that support fakes within their ranges, and we will bring our reputation, and our artists with us to every fight.

Subsequent activities
Since the announced change of direction, Artists Against 419 developed new legal techniques and have acquired numerous new members who find fraudulent websites. Artists Against 419 also has a long-standing partnership with the prominent scambaiting community 419eater and allowed members of this organisation to upload, under moderation, websites to their database of fraudulent websites. In 2020 this support was withdrawn.

AA419 is constantly developing and building relationships with domain registrars, hosting companies and various security vendors and groups while being a long term Anti Phishing Working Group member. Because of this, even though more and more fraudulent sites are being found now, a limited number of private sector companies have been supported by AA419's efforts. By using responsive tactics Artists Against 419 has become more effective under its new method of operating.

Additional relationships has also since been established with other credible anti-fraud source groups such as ScamSurvivors, Forum Scambaiter-Deutschland and RomanceScambaiter who use Artists Against 419's database to warn against verified malicious domains and websites.

The Artists have had considerable success in closing fraudulent websites. Of the more than 156,000 sites listed in their database, roughly 4500 are currently active, and many of these are very recent additions. The active status in the aa419 database has a very specific definition, it is a domain that is considered still under malicious control.

Since January 2016, the Artists Against 419 database also reflects separate scam category, autonomous system number (ASN) and domain name registrar fields, enabling ISPs and registrars to easily determine which sites under their responsibility have been listed. An additional comments field was also added showing additional details such as the contact details the scam website used, a refinement of the scam category, links to other partner websites, trusted informational/alert links or related database entries.

A project field was added allowing related entries to be easily identified. This is used to alert on active threats in specific sectors. An example of this can be seen on the PetsPlace website where consumers in South Africa are alerted against known active pet scam websites.

On 24 December 2019, Artists Against 419 also announced the Krampus program whereby information on cyber threats captured at Artists Against 419 is being shared with other security groups.

Since December 2020, Artists Against 419 also started displaying the top three most Domain name registrars, autonomous system numbers (ASN) and Internet Protocol addresses (IP addresses) on their database page with more detailed Top 10 Areas of Badness available on a separate page in a chart.