washingtonpost.com  > Technology > Tech Policy > Security

Microsoft Seeks to Identify Phishing Scam Authors

By Brian Krebs
washingtonpost.com Staff Writer
Thursday, March 31, 2005; 3:51 PM

Microsoft Corp. on Thursday escalated its efforts to crack down on Internet fraud, announcing that it filed more than a hundred lawsuits aimed at identifying people the company says targeted its e-mail and Internet service customers through "phishing" scams.

Microsoft filed 117 civil lawsuits against unnamed individuals in federal district court in Seattle, hoping to learn the identities of those behind a rash of fraudulent e-mail messages identified over the past six months that specifically targeted customers of Microsoft's MSN Internet and Hotmail e-mail services, the company said.

Net Aids Access to Sensitive ID Data (The Washington Post, Apr 4, 2005)
DNA Key to Decoding Human Factor (washingtonpost.com, Mar 28, 2005)
Banking Rules Address Theft Of Customers' Private Data (The Washington Post, Mar 24, 2005)
More Security News

The move comes amid a prolonged surge in phishing attacks, a form of online fraud that uses authentic-looking e-mail messages and Web sites to trick computer users into giving up their personal and financial data. Security experts tracked 2,625 fraudulent Web sites and more than 13,000 new and unique e-mail lures in February, according to the Anti-Phishing Working Group, an industry coalition of banks and technology companies. The group said the number of attacks has increased steadily by 25 percent each month since July 2004.

Microsoft's lawsuits were brought under the Lanham Act, a federal trademark protection law that carries a maximum of $1 million fine per violation. The so-called "John Doe" suits are generally used when the plaintiff does not know the names of the defendants.

Every Web site and e-mail contains a unique Internet address that can be traced back to the service that hosts it. Once a federal judge gives consent for the lawsuits to go forward, the company can subpoena the Internet service providers from which the phishing scams originated in an attempt to force the ISPs to reveal the identities of the account holders.

In many online fraud cases, the perpetrators thread their traffic through multiple computers and across several ISPs, and investigators can only follow the trail by learning who paid for the Internet services at each link in the chain.

John Doe lawsuits have been a favorite tool of the motion picture and recording industries in their ongoing war against illegal Internet file-sharing. In many cases, ISPs have resisted turning over the identities of their subscribers, arguing that they have a duty to protect personal information. But some analysts say the Microsoft cases are different because ISPs -- specifically, their customers -- are some of the biggest targets of phishing scams.

Nicholas Graham, spokesperson for Dulles, Va.-based America Online Inc., said the company's privacy policy and terms of service prohibit it from releasing any subscriber information without a subpoena, court order or search warrant. Still, Graham said, AOL is inclined to help with efforts to track down authors of online scams.

"Whether it's fighting spam or phishing, we're all very much in this together," he said.

In a successful use of the John Doe tactic, Microsoft filed a lawsuit in October 2003 in Seattle after a phishing scam targeted MSN customers. Six months and two subpoenas later, the company tracked the scam back to 21-year-old Jayson Harris of Davenport, Iowa, according to Microsoft and documents from the company's civil case against Harris. Harris had used his grandfather's MSN account to disseminate phishing e-mails and had tunneled his Web site and e-mail traffic through four different ISPs on three continents.

Microsoft later won a $3 million judgment against Harris for trademark violations. The FBI seized three of Harris's computers and is in the latter stages of its own criminal investigation into the matter, according to Aaron Kornblum, a Microsoft attorney. FBI officials could not be reached for comment.

"The bottom line is, criminal enforcement is absolutely critical," Kornblum said. "A different message of deterrence is sent by putting a phisher in an orange jumpsuit, and that's one of our ultimate goals."

Microsoft filed the suits in conjunction with an anti-phishing public education campaign it is pursuing with the National Consumers League and the Federal Trade Commission. Noting that Friday is "April Fool's Day," the three organizations advised consumers not to e-mail personal or financial information, and to avoid clicking on links in e-mails that request such data unless the e-mail comes from a trusted source.

The FTC also said consumers have viewed its online "How Not to Get Hooked by Phishing Scams" tutorial more than a half-million times since it went online last June.

© 2005 TechNews.com