Investigators have even seen phishers advertise "work at home" scams that ask home computer users to conceal the phishers' locations by forwarding money, stolen goods or Internet traffic to other countries, said Kevin E. Leininger, president of ICG Inc., a Princeton, N.J., company that helps companies track down cyber-criminals.
Leininger said phishing poses a formidable challenge to law enforcement because it makes lucrative, coordinated, large-scale fraud appear to local investigators as small-time, disconnected cases of online thievery.
Transcript: Brian Krebs hosted Dave Jevans, chairman of the Anti-Phishing Working Group.
Banking on Phishing
For their part, banks are pooling their resources. In September, members of the Financial Services Technology Consortium -- a group of banks, financial services firms, universities and government agencies -- began compiling a database of phishing sites that they plan to make accessible to banks and federal authorities.
The goal is to allow investigators to share intelligence and quickly determine whom to contact at various ISPs and law enforcement agencies, said Catherine A. Allen, chief executive of the Banking Information Technology Secretariat. BITS is a sister group of the Financial Services Roundtable, which represents 100 institutions that handle 70 percent of the economy's financial transactions. The group focuses on e-commerce, payments and emerging financial services technologies.
The database could help state and federal law enforcement initiate more investigations by linking geographically dispersed victims who lose money in the same scams. Federal authorities usually will prosecute a crime only if the victim loses more than $50,000, said Mark Rasch, a former prosecutor for the Justice Department's computer crimes and intellectual property section. In most cases, individual phishing victims lose far less than that.
A private-sector anti-phishing database would complement the hundreds of fraud cases reported each day, said Dan Larkin, head of the FBI's Internet Crime Complaint Center in Morgantown, W.Va.
"That's really the role of our facility here -- packaging those complaints up as quick as we can and marketing the cases to law enforcement across the country," Larkin said. "Unfortunately, the sophistication of these schemes is morphing constantly because the crooks are also sharing information on what works and what doesn't."
Only a handful of people have been convicted for taking part in phishing scams, but Larkin said that "a number of aggressive phishing investigations are underway."
In September, the Justice Department, FBI, state and local police departments, and private companies kicked off an operation called "Digital Phishnet" to identify and catch phishers. Taking part in that broad investigation locally is the Virginia Cyber-Crime Strike Force, which includes four full-time FBI agents, a Virginia State Police trooper, and two investigators from the office of state Attorney General Jerry W. Kilgore (D).
Several investigations have already yielded results. Among them: