Ann Chapman thought it was strange that MSN, Microsoft's online service, was asking her to go to a Web site and re-enter her credit-card number. So she mentioned it to her son-in-law. He took the e-mail to his employer: Microsoft. Thus began an epic hunt to find a phisher.
Phishing is a recent cybercrime twist. A phisher sends out huge amounts of spam in the form of e-mail purporting to be from a company like Citicorp, PayPal or MSN. The mail says there's something wrong with your account and links to an authentic-looking Web site so you can fix it. But the site is a fake, and when you enter personal information, the phisher can use it to buy goods or swipe your identity. An estimated 75 million to 150 million phishing e-mails go out every day, with losses as high as more than $1 billion a year, says Dave Jevans of the tech industry's Anti-Phishing Working Group.
"Because of the volume and complexity of these investigations, law enforcement can be hesitant to take the step," says Stirling McBride, a former U.S. marshal who is Microsoft's lead cyberferret. So beginning in October 2003, Microsoft pursued the Chapman phish itself, filing suit against unknown John Does so it could use subpoena power in its attempt to untangle the gnarly trail of the e-mail and the phony Web site it linked to. The mail path dead-ended at an Internet service provider (ISP) in India. So the quest focused on finding the owner of the bogus Web site.
Every Web site has an Internet address traceable to the service that hosts it. But these can lead to other addresses, assigned by other ISPs, or "co-location services." With each "round," a subpoena had to be served on the hosting ISP to find out who was paying for the service. Round one: a company in San Francisco. Round two was another hosting service in that city. Round three led to a free "re-direction service" in Austria, where Microsoft had no legal authority to demand the identity of the address holder. But the operator, Andreas Griesser, hates phishers, and gave the information voluntarily. This led to yet another Internet address, controlled by Qwest in the United States. A subpoena to Qwest led back to Microsoft itself: the address was assigned to an MSN user. The customer was a 69-year-old man in Davenport, Iowa.
Some sleuthing by McBride and his team found that a 21-year-old grandson living in the house, Jayson Harris, had "a certain reputation on the Internet."
At that point, Microsoft went to the FBI, which searched the house in July 2004 and took Harris's three computers. After the search, Microsoft sued Harris, who did not respond to the suit. In December, the com-pany won a $3 million default judgment.
When I called the grandfather's house, Harris's brother Sam told me that Jayson holds a high-school equivalency diploma, works at Blockbuster and has been interested in computers for years. As for the phishing, "nobody really knew what he was doing," says Sam.
Will Harris be indicted? The FBI says only that it is in the latter stages of the investigation. Law-enforcement officials I spoke to assured me that whatever the outcome of this case, they take phishing seriously. "We're making it hard as we can to profit from these crimes," says the DOJ's computer-crime head Martha Stansell-Gamm, who notes that a Texas phisher got a 46-month prison sentence last year.
Harris himself, when I got him on the phone and asked if he was a phisher, was unhelpful. "I have no comment," he said, and hung up, saying he was late for work. I can understand the haste. It would take a lot of hours at Blockbuster to pay Microsoft that $3 million.