To catch a phisher

An Ohio woman was sentenced earlier this year to 46 months in prison as the apparent ringleader of a phishing  scheme. Her elaborate plan spanned multiple states, taking on many online identities. In an investigation that lasted more than a year, a special agent with the FBI laid out the tangled web he had to cut through to find the phisher.

The special agent began his search on Feb. 11, 2001. In a seven-page affidavit filed on behalf of the U.S. government against Helen Carr, Special Agent Joseph Yuhasz details how he tracked down the 55-year-old woman after receiving the spam  at his home computer. Carr and her cohorts were convicted of stealing credit card numbers by duping AOL users into submitting personal information to them.

"The writer stated that he was Steve Baldger from AOL security. The writer stated that AOL's last attempt to charge the recipient's credit card failed and suggested that the recipient should click on an enclosed link, which is text that sends someone to an Internet location, to enter new and alternate credit card information," Yuhasz says in his affidavit.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

An Ohio woman was sentenced earlier this year to 46 months in prison as the apparent ringleader of a phishing  scheme. Her elaborate plan spanned multiple states, taking on many online identities. In an investigation that lasted more than a year, a special agent with the FBI laid out the tangled web he had to cut through to find the phisher.

The special agent began his search on Feb. 11, 2001. In a seven-page affidavit filed on behalf of the U.S. government against Helen Carr, Special Agent Joseph Yuhasz details how he tracked down the 55-year-old woman after receiving the spam  at his home computer. Carr and her cohorts were convicted of stealing credit card numbers by duping AOL users into submitting personal information to them.

"The writer stated that he was Steve Baldger from AOL security. The writer stated that AOL's last attempt to charge the recipient's credit card failed and suggested that the recipient should click on an enclosed link, which is text that sends someone to an Internet location, to enter new and alternate credit card information," Yuhasz says in his affidavit.

That link sent Yuhasz to a Geocities Web site belonging to Yahoo. With more than four years of experience investigating computer intrusion and fraud, Yuhasz quickly realized the window that popped up asking for new credit card information was a scam. In an attempt to find the perpetrators, he provided bogus credit card information and continued to click through windows.

He downloaded the HTML and forwarded it to the FBI's National Infrastructure Protection Center Special Technologies and Applications Unit. It was determined that information gathered through a program called FormMail.p1 was being sent to kwist_snow@yahoo.com.

By contacting Yahoo, Yuhasz was able to find out the IP address of the sender for the Geocities Web site and trace it to Stargate, an ISP in Pittsburgh. The IP address was connected to an account for Judy McDonald of Jeannette, Pa. The special agent then went back to Yahoo and tracked the IP address to the Yahoo e-mail account to Sparta, Mich.

"Yahoo officials provided me with information about eight password change requests made on the e-mail account. I traced two of these requests to IP addresses assigned to the ISP, Stargate," Yuhasz said in the affidavit. It turned out only one of the addresses was traceable, which brought him back to McDonald.

After receiving a search warrant on March 21, 2002, FBI agents searched the Jeannette, Pa. residence, and seized a laptop computer owned by George Patterson.

"During the interview, Patterson stated that he earns money by sending unwanted e-mail messages or 'spam' to Internet users and gets paid based upon the number of recipients who respond to the spam e-mail," Yuhasz said.

Patterson told investigators he received the information for the phishing scheme from a "Kristi" or "Kwisti" from Akron, Ohio.  He gathered e-mail addresses for the spam through chat rooms. Patterson indicated to investigators that the spam blasts would return about 20 to 50 credit card numbers each time he sent out the 1,000 or so messages.