To catch a phisher

In a seven-page affidavit filed on behalf of the U.S. government against Helen Carr, Special Agent Joseph Yuhasz details how he tracked down the 55-year-old woman after receiving the spam at his home computer.

An Ohio woman was sentenced earlier this year to 46 months in prison as the apparent ringleader of a phishing  scheme. Her elaborate plan spanned multiple states, taking on many online identities. In an investigation that lasted more than a year, a special agent with the FBI laid out the tangled web he had to cut through to find the phisher.

The special agent began his search on Feb. 11, 2001. In a seven-page affidavit filed on behalf of the U.S. government against Helen Carr, Special Agent Joseph Yuhasz details how he tracked down the 55-year-old woman after receiving the spam  at his home computer. Carr and her cohorts were convicted of stealing credit card numbers by duping AOL users into submitting personal information to them.

"The writer stated that he was Steve Baldger from AOL security. The writer stated that AOL's last attempt to charge the recipient's credit card failed and suggested that the recipient should click on an enclosed link, which is text that sends someone to an Internet location, to enter new and alternate credit card information," Yuhasz says in his affidavit.

That link sent Yuhasz to a Geocities Web site belonging to Yahoo. With more than four years of experience investigating computer intrusion and fraud, Yuhasz quickly realized the window that popped up asking for new credit card information was a scam. In an attempt to find the perpetrators, he provided bogus credit card information and continued to click through windows.

He downloaded the HTML and forwarded it to the FBI's National Infrastructure Protection Center Special Technologies and Applications Unit. It was determined that information gathered through a program called FormMail.p1 was being sent to kwist_snow@yahoo.com.

By contacting Yahoo, Yuhasz was able to find out the IP address of the sender for the Geocities Web site and trace it to Stargate, an ISP in Pittsburgh. The IP address was connected to an account for Judy McDonald of Jeannette, Pa. The special agent then went back to Yahoo and tracked the IP address to the Yahoo e-mail account to Sparta, Mich.

"Yahoo officials provided me with information about eight password change requests made on the e-mail account. I traced two of these requests to IP addresses assigned to the ISP, Stargate," Yuhasz said in the affidavit. It turned out only one of the addresses was traceable, which brought him back to McDonald.

After receiving a search warrant on March 21, 2002, FBI agents searched the Jeannette, Pa. residence, and seized a laptop computer owned by George Patterson.

"During the interview, Patterson stated that he earns money by sending unwanted e-mail messages or 'spam' to Internet users and gets paid based upon the number of recipients who respond to the spam e-mail," Yuhasz said.

Patterson told investigators he received the information for the phishing scheme from a "Kristi" or "Kwisti" from Akron, Ohio.  He gathered e-mail addresses for the spam through chat rooms. Patterson indicated to investigators that the spam blasts would return about 20 to 50 credit card numbers each time he sent out the 1,000 or so messages.

With one part of the group in custody, Yuhasz then went onto the Michigan address through the help of Sprint. On March 21, 2002, investigators searched the house and found another cohort to the phishing plan in Kenneth Hyde Jr. He admitted to being part of the AOL billing scheme and implicated others in the group, including "Kristi," who he said lived in Akron with her mother. He told investigators that he used stolen EarthLink accounts supplied by "Kristi" to access the Internet.

FBI agents located the address of Carr through information gained from ISP Road Runner along with a phone number provided by Patterson. On July 3, 2002, the FBI searched the Akron home of Helen Carr and her 80-year-old mother.

"Carr identified herself as being self-employed and stated that she supported herself by 'spamming' adult pornography over the Internet," Yuhasz states.

She initially denied involvement in the phishing scam, according to the FBI. However, during a review of computers found at her house, FBI agents found several files on the hard drive that related to the AOL billing page scam.

It was not until late January of this year that Carr was convicted. Patterson received three years.

Back to feature: "Phear of phishing"

Learn more about this topic

FTC v. Zachary Keith Hill

FTC.gov

Special report on Phishing (PDF)

Criminal Division, Department of Justice

Court case against Helen Carr (PDF)

Department of Justice

Interesting afadavit of FBI agent in Helen Carr case (PDF)

Department of Justice

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Must read: 10 new UI features coming to Windows 10