How to Hook the Elusive Phisher

Article excerpt

Byline: Steven Levy

Ann Chapman thought it was strange that MSN, Microsoft's online service, was asking her to go to a Web site and re-enter her credit-card number. So she mentioned it to her son-in-law. He took the e-mail to his employer: Microsoft. Thus began an epic hunt to find a phisher.

Phishing is a recent cybercrime twist. A phisher sends out huge amounts of spam in the form of e-mail purporting to be from a company like Citicorp, PayPal or MSN. The mail says there's something wrong with your account and links to an authentic-looking Web site so you can fix it. But the site is a fake, and when you enter personal information, the phisher can use it to buy goods or swipe your identity. An estimated 75 million to 150 million phishing e-mails go out every day , with losses as high as more than $1 billion a year, says Dave Jevans of the tech industry's Anti-Phishing Working Group.

"Because of the volume and complexity of these investigations, law enforcement can be hesitant to take the step," says Stirling McBride, a former U.S. marshal who is Microsoft's lead cyberferret. So beginning in October 2003, Microsoft pursued the Chapman phish itself, filing suit against unknown John Does so it could use subpoena power in its attempt to untangle the gnarly trail of the e-mail and the phony Web site it linked to. The mail path dead-ended at an Internet service provider (ISP) in India. So the quest focused on finding the owner of the bogus Web site.

Every Web site has an Internet address traceable to the service that hosts it. But these can lead to other addresses, assigned by other ISPs, or "co-location services." With each "round," a subpoena had to be served on the hosting ISP to find out who was paying for the service. Round one: a company in San Francisco. Round two was another hosting service in that city. …