Hooking a phisher

A week after the Dec. 26 tsunami decimated the coast of Indonesia, phishers were using the crisis to try to steal money and account information from people wanting to donate to the cause.

"We started to see fake tsunami sites go up shortly after the disaster happened," says Dan Larkin, director of the FBI's Internet Crime Complaint Center (ICCC).

Often, federal agencies don't get involved until a high-dollar threshold - $50,000 - is reached. But in this case, FBI agents sprung to action before the phishers could inflict that level of damage.

First, the ICCC moved to contain the damage by issuing a national scam warning, which was picked up by major media outlets and posted on the sites of legitimate aid organizations.

Meanwhile, Mercy Corps, a Portland, Ore., aid organization that was being spoofed, had sent the FBI what information it could on a phisher who'd spammed 800,000 people with a mirror-image aid scam hyperlinking Mercy's logos, art and tsunami footage directly from Mercy's legitimate site. The phish also linked to a PayPal account where the fraudster collected donations.

Tracking the IP address of the phish site usually leads to false positives, open proxies or bounces off compromised networks (also called botnets). So agents decided to follow the money.

"The criminal was reasonably savvy in setting up phish sites," Larkin says. "So the first thing we did was embed a message in the images he'd hyperlinked from Mercy saying 'This is a fraud site,' so people wouldn't fall for it. Then we called PayPal and provided them with the paperwork they needed to see this guy was operating a fraud."

Using PayPal's logs and registration information, agents tracked the fraudster to an anonymous Hotmail account. Microsoft and PayPal logs placed the fraudster in Pittsburgh with Comcast as his ISP.

To issue a warrant, the ICCC needed irrefutable proof that the suspect was actually operating the criminal site. So they appealed to Comcast, which also opened its logs to show that, yes, this user from this IP address logged in and out of the sites on these particular days. That was enough to issue a search warrant for Matthew Schmeider, 25, an unemployed painter from Pittsburgh.

Just three days after launching the investigation, the FBI seized Schmeider's computer and got him off the Internet before Schmeider could do any major damage. Schmeider's total take? A mere $150. He has been charged with fraud.

This case is an example of the level of partnership forming between the FBI and private companies, says Howard Schmidt, former chief security strategist for eBay and former White House cyber security adviser.

Those private/public efforts have led to the creation of the Digital Phishnet, a joint effort announced in February at the RSA Conference to report, thwart and bring online criminals to justice.

"The value of the resources the private sector has is phenomenal. They can help us identify anomalies, new attack methods and ways criminals and spammers are getting around defenses and filters," says Larkin, who helped rewrite the FBI's cybercrime mission just after Sept. 11 to redefine public/private sector relationships.