Enforcement takes the fight to the phishers


Hi, I’m Aaron Kornblum, Internet Safety Enforcement Attorney at Microsoft, and a member of Microsoft’s global team committed to help fight cybercrime and protect our customers while they are online.  As a parent, former Air Force prosecutor and civil litigator, and now in-house corporate counsel focused on Internet Safety, I am increasingly concerned by the proliferation of cybercrime and, in particular, online fraud such as phishing.  My IE colleagues have invited me to share with you the news of a milestone just reached in Microsoft’s Global Phishing Enforcement Initiative (GPEI): the sentencing of a convicted phisher to 21 months imprisonment and $57,000.00 restitution to victims in a federal prosecution directly supported by Microsoft.

First and foremost, I want to note that enforcement actions by government agencies and private companies are not a stand-alone solution to cybercrime.  A comprehensive approach is essential.  As you know, new technologies designed to halt online fraud – such as the Phishing Filter for IE and email authentication like Sender ID – are critically important to halting the spread of online threats.  Similarly, educating consumers about the dangers of phishing, spyware, etc., is also a key strategy.

However, Microsoft also believes it is crucial to help identify and pursue the persons responsible for actually hitting the “send” button to launch spam, phishing attacks, and other cybercrimes.  Microsoft’s Internet Safety Enforcement Team – a worldwide group of 65 attorneys, investigators, and other professionals – spearheads such investigations and legal enforcement actions, partners with law enforcement, and helps to deter would-be online criminals by growing public awareness of enforcement initiatives.  To date Microsoft has supported hundreds of enforcement actions worldwide against botnet operators, phishers, spammers, and spyware distributors, and partnered with government enforcement agencies with tools, training, and technical support.

In this regard, I’m reporting a significant sentence handed down by a U.S. federal judge to the first global phisher investigated by Microsoft and referred to federal authorities for prosecution.  The defendant in this case, Mr. Jayson Harris, 23, of Davenport, Iowa, was sentenced to 21 months imprisonment to be followed by a term of three years supervised release on each of two counts stemming from his earlier guilty plea to wire fraud and fraud and related activity in connection with access devices.  The judge further ordered Harris to pay restitution in the amount of $57,294.07 and to pay a $200 assessment to the crime victims fund.

From January 2003 to June 2004, Mr. Harris operated a phishing scheme by creating a bogus MSN billing website and then sending e-mails to MSN customers requesting that they visit the website and update their accounts by providing credit card account numbers and other personal information.  Mr. Harris provided a false incentive to these MSN customers that by using his (fake MSN) website, the customer would receive a 50% credit towards their next monthly bill from MSN.  The spoofed website transmitted victim data to an email account controlled by Mr. Harris.

Microsoft’s Internet Safety Enforcement Team tracked Harris across the Internet pursuing a variety of leads in North America and Europe and uncovered this scheme, ultimately referring the matter to the Federal Bureau of Investigation (FBI) for investigation.  A search warrant was executed at Harris’s residence by FBI agents and evidence of the phishing scam was found on the computers at Mr. Harris’ residence.  The investigation was conducted by the FBI and the Davenport Police Department with the assistance of Microsoft.

This case is just part of Microsoft’s Global Phishing Enforcement Initiative (GPEI), a global campaign targeting phishers across three primary areas:  Protecting Microsoft brands and domains online, Partnerships with government and industry, and Prosecuting worldwide investigations.

Importantly, I think that the Harris case clearly illustrates the value of public-private partnerships in pursuing cybercriminals such as phishers.  In fact, I’m writing this blog post from Bangkok, Thailand, where I am joining representatives of the U.S. Secret Service and other leading technology companies to share with prosecutors from across Asia about the importance of such partnerships to achieve greater impact in the fight against cybercrime.  Microsoft will continue to collaborate with law enforcement authorities worldwide to help protect people from cybercrime.  We hope this sentencing will help to keep our customers safe online and serve to have a deterrent effect on phishers and would-be phishers who consider profiting in this way.

AK

Comments (38)

  1. Anonymous says:

    Sounds good to me.  I think that for a long time the prevalence of these crimes has been due to the seemingly low risk of being caught.  But I’m glad someone is being proactive in putting a stop to this.

    Steve

  2. Anonymous says:

    Well at least no one can say "screw the fines, they should’ve put the spammer in jail!!1".

    I just hope he doesn’t get a PC in his cell…

  3. Anonymous says:

    The world of technology is definitely changing! I just ready a new post from an attorney working for Microsoft about Microsoft’s Global Phishing Enforcement Initiative.

  4. Anonymous says:

    At the Microsoft IEBlog – Enforcement takes the fight to the phishers:
    Hi, I’m Aaron Kornblum, Internet Safety Enforcement Attorney at Microsoft, and a member of Microsoft’s global team committed to help fight cybercrime and protect

  5. Anonymous says:

    You can waste your time by protecting all your creations, I’m attorney too, my position is : knowledge is not a fact of money, but well a matter of sharing

    Rats !

    PS: Well written article but it’s role is only to let us know that things will become AGAIN more complicated. Strange isn’t it ? Normally people at Microsoft aren’t supposed to do the contrary ? … was just wondering …

  6. Anonymous says:

    The bulk of online fraud comes from countries like Nigeria where the governments are not cooperative with outside law enforcement, given that online crime is a major component of their country’s economy. Litigation can only scare away some people from cybercrime, but you’re only scratching the surface. A technological solution is the only solution – and that means gutting our current e-mail system, and an implementation of site authentication (what https/SSL tries to accomplish) that actually helps users identify the web sites they want to go to. Phising sites should be blocked at the local ISP level, rather than having a central system such for which my browser needs to submit every address I go to, to determine if it’s fraud. Lawsuits are not going to solve this problem long-term.

  7. jvierra says:

    Great initiative.  Phishing is the biggest threats to a successful public Internet that has come along.  It has the ability to destabilize all elements of our economy as well as doing damage to unwary users who should not have be challenged in this way.

  8. Anonymous says:

    Now we have a LAWYER here (oh frabjous day) how about blogging about antitrust issues and Internet Explorer?

    You know, Netscape engineers are weenies? Bill’s pathetic lies and rocking in the chair? The character assassination of Judge Jackson?

    How about addressing the fact that Microsoft is a deeply criminal monopoly abusing enterprise?

    Everyone who works on IE is tainted. You can bury your heads in the sand if you like, but it is unethical to be "just doing your job" and ignore the illegal actions of your employer.

  9. Anonymous says:

    I know this is off-topic and a little pendantic, but there’s no recent standards-compliance post for me to post this on. So, here goes:

    In 1998, a Microsoft W3C representative wrote:

    "Microsoft has a deep commitment to working with the W3C on HTML and CSS. We have the first commercial implementation of HTML4, we were the first vendor anywhere to implement even portions of CSS, and we have put a tremendous amount of energy into seeing CSS mature to Level 2. We are still committed to complete implementations of the Recommendations of the W3C in this area (CSS and HTML and the DOM)."

    It’s now eight years later, and I think we’ve sufficiently shown that Microsoft has very little commitment to standards beyond what is required to make their browser barely functional. Beyond that, Microsoft has no vested interest in supporting web standards and improving their user’s experience.

    Håkon Wium Lie, in a recent Ask Slashdot feature, had this to say about Microsoft and IE:

    "It’s quite clear that Microsoft has the resources and talent to support CSS2 fully in IE and that plenty of people have reminded them why this is important. So, why don’t they do it? The fundamental reason, I believe, is that standards don’t benefit monopolists. Accepted, well-functioning, standards lower the barrier of entry to a market, and is therefore a threat to a monopolist.

    From that perspective, it makes sense to leave CSS2 half-implemented. You can claim support (and many journalists will believe you), and you also ensure that no-one can use the unimplemented (or worse: buggily implemented) features of the standard. The only way to change the equation is to remind Microsoft how embarrassing it is to offer a sub-standard browser. And to use better browsers.

    Another reason for not making a IE too good is that it will compete with Windows. A modern browser is an application platform; the combination of HTML, JavaScript, CSS and DOM allows developers to target the web instead of Windows, Linux, or Mac."

    (Disclaimer: Håkon works for Opera, whose Opera 9.0 browser beats the pants off of IE seven ways to Sunday.)

    Food for thought, anyways.

    We now return to our regularly scheduled anti-phishing talk; phishing that, which I might add, is elementary to do on a modern Windows XP machine with Internet Exporer. The same goes for spam zombie machines.

    Am I bitter because I’ve been fighting IE6 bugs for the past 10 hours? Slightly.

  10. Daljon says:

    reply to Tyson, dont use it then, there are other alternative.

  11. Daljon says:

    Great article Kornblum. Keep up the good work and thanks for the efforts. Sincerely

  12. Anonymous says:

    @Daljon: Tell that to 70% of the internet. That’s my gripe. That, thanks to Microsoft making IE6 the default browser on it’s operating systems, has made progressing web sites beyond where they’ve been stuck for years a virtual impossibility.

    Like Meatball mentioned: Remember any "antitrust" lawsuits? *cough*

  13. Anonymous says:

    alot of people can protect themselves just by forwarding any emails like this msn’s spoof department anf if its real then they’ll inform you.. so far with all the dealings I had with emails like this, they’ve all been fake, so just delete it..I do..

  14. Anonymous says:

    "How about addressing the fact that Microsoft is a deeply criminal monopoly abusing enterprise?"

    Meatball, I don’t remember the Government breaking up Microsoft. Might have something to do with that fact they’re not technically a monopoly. The anti-trust charges stuck, but the monopoly one was overturned, if I recall.

    I don’t considering improving IE6 to be "abusing a monopoly". Go cry somewhere else.

  15. Anonymous says:

    "How about addressing the fact that Microsoft is a deeply criminal monopoly abusing enterprise?"

    If you feel that way, seek counsel and begin a class action lawsuit against MS. That is perfectly within your rights to do so. The fact that you haven’t done so suggests that your claims are baseless and amount to nothing more than speculation and libel. If you don’t like Microsoft, don’t use their products (that’s an option you have because Microsoft is NOT a monopoly). I have a Mac machine that does not run a single Microsoft product. I have 3 Linux machines that do not run a single Microsoft product. I have 2 Solaris machines that do not run a single Microsoft product… I ask you, how am I able to do this if Microsoft is a "deeply criminal monopoly"? Seems there are other companies that are alive and well in the software industry. Perhaps Microsoft products are so widely used because they are better. As a software developer for 6 years, I can say there is no better IDE than Visual Studio, it blows the competition away. I’ve used other products, and I’ve decided VS.NET is superior. I’ve tried other OSes, I prefer Windows, hence that’s why I use it as my normal desktop OS. I’ve run Firefox, Opera, Netscape, and a host of other less-known browsers, and I still decided to use IE. It’s not because MS forced these products on me, the existence of several other products, some from very large companies (If you want to claim Microsoft is a monopoly, you could easily make the same claim against Sun Microsystems)…

    As I said, if you honestly believe Microsoft is breaking the law, it is your right, and indeed your duty to do something about it other than come here and complain. Again I say, the fact that you have not done so is just evidence that your claims are fraudulent.

  16. Anonymous says:

    I,

    I’m totaly agree with you, and we will have to fith together against the cyber crime by setting a new internet crypted = IPV7

  17. Anonymous says:

    I WAS TELLING YOU THAT THE CYBER CRIME HAVE TO BE STOPPED;

    and the only way to stop it is to set up a new IPV7 WEB

    THANKS A LOT

  18. Anonymous says:

    To codemaster: do u have the $$$$$$

    To Tyson: MOZILLA FIREFOX!!

    To all others: Microsoft is an abusing, thieving, idea snaching, monopolising, money hungry criminal! They smash and beat other companies because they have been allowed to get away with it.

    As Bill Gates once said, "We were here first."

  19. Anonymous says:

    What about phishing messages in Outlook?  They need to be curbed too.  How about letting users enter the names of financial institutions with which they have accounts (perhaps in Microsoft Passport), so that any message from a financial institution that is not on the list would automatically be marked as Junk Email.  That wouldn’t get them all, but it would certainly cut down the amount.

  20. jajoehl says:

    I think this is a very fair punishment. Not too long ago I took it upon myself to unsubscribe from a technology-related email listserv I was on, for a very similar reason. Someone had taken it upon themselves to write a string of characters that when sent via email, somehow caused a certain speech synthesizer to crash. I was unfortunately one of these victims. I have the speech synthesizer in question set as my default speech synthesizer, and whenever my email would encounter this certain string of characters my speech would stop immediately and I had to restart my computer. Up until very recently there were two fixes for this problem. Those of us using the suspect speech synthesizer could either switch to a different speech synthesizer, or we could add the character string to the JAWS Dictionary Manager. Choosing the latter route resulted in a sound being played such as a buzzer when our email programs encountered that string. Freedom Scientific, makers of the JAWS screen reader, have since fixed this problem in updates to the screenreader, so JAWS users such as myself no longer have to worry about it.

  21. Anonymous says:

    All of this constant griping about Microsoft… If you all hate it so much start using Linux, Firefox, etc.

  22. Anonymous says:

    Really, we need some way to verify all websites that people go to on a regular basis and have personally identifiable information on them (banking and commerce sites most notably).

    Also, Microsoft is doing the right thing by helping the government go after the phishers themselves.

    The way to stop spam e-mail, as the one poster says, is to have some sort of Sender ID on the e-mails. Now, people are going to say that it is going to be hard to make a Sender ID, but it really wouldn’t be. Just type in a random set of letters, it turns that into a Sender ID and BOOM! You’re done.

    That’s how Sender ID should work.

  23. Anonymous says:

    I really hope IE7 will conform to some set of standards (W3C?) and not be pulled out of Mircosoft’s butt.

  24. Anonymous says:

    I am glad that this is finally happening, I have been forwarded sites when friends who were looking to buy things that were priced too good to be true, then found the domains whois to be in  hong kong with a payment processor in Europe with the contact information goinf somehwre else – just to find out that they were phishing for card numbers that way… it’s made me trust all web sites less, and negatively affected what would otherwise be an enjoyable on line experience.

  25. Anonymous says:

    @you really think i put my name in comment boxes

    We all know of Microsofts standards issues, to if you’re going to comment, be specific. In this case it’s a post concerning phishing, so please be specific in which w3c phishing standards IE needs to conform to.

  26. Anonymous says:

    Microsoft is one of the few, if not the only, company on the planet trying to tackle the problem of internet crime not only from a technological stand point but also from a legal standpoint.  Yet all some of you can say is "MS is an illegal monopolist and is evil!" or "MS destroyed Judge Jackson’s credibility!".

    What has opensource done about internet crime lately?

    What has Apple done?

    James

  27. Anonymous says:

    Since yesterday, when I go to my "secure sign-

    in" for my msn hotmail, I instead get a url

    up top saying ‘cmsn.’ and a warning box that

    it is an unknown site.  I say "no" to opening

    (otherwise,it looks just like the msn.sign-in,

    and I get the usual Looong msn address.  What’s

    happening? What is cmsn, and why is it spoofing

    msn?  I searched my files for ‘spoof’ and have

    many, also cmsn files, but am too dumb to know

    which ones to delete and too poor to pay (yet

    again) to have this new computer cleaned.

  28. Anonymous says:

    I believe that enforcement of activities that result in fraud should be punished accordingly. In this case, MSN was the target of a scheme and Microsoft’s customers lost thousands if not millions of dollars. Although I doubt Microsoft lost any income in this scheme, it is important to note two things. One, that Microsoft charges individuals with fraud when their customers are affected by phishing affecting their customers and two, Microsoft takes steps to ensure phishing is made tougher to accomplish on it’s operating systems and browser products. Phishing doesn’t usually affect the bottom line of Microsoft, but rather the users of Microsoft’s products. Hence, I feel that although Microsoft is not directly responsible for phishing, Microsoft should provide additional safety for it’s customers. Perhaps instead of a blog, protection in the form of a certificate with a unique algorithm to communicate with the browser informing consumers that the billing request is legitimate so phishing billing incidents are prevented rather than users experiencing fraud requiring enforcement?

  29. Anonymous says:

    J. Jones:  This is not a general support site for Internet Explorer. You’ll do better by posting in the Internet Explorer newsgroup (Microsoft.Public.InternetExplorer.General or .Security).

  30. Anonymous says:

    This is a good start but the only reason this person was brought to justice was because the phishing target was MSN subscribers and Microsoft with its almost infinite resources was able to track down the culprit and deliver him to the FBI with a big bow tied around his neck.

    Clearly this shows that our government in and of itself is neither willing nor able to devote the kind of resources that would be necessary to bring these criminals to justice.

    I guess it’s just a matter of priorities.

    Also, before I make this last point let me assure you that I have never sent spam or unsolicited email in my life and I like everyone has my inbox filled with spam every day but I have to take issue with calling spammers criminals.  Is it a crime to send junk mail through the US post office?  Surely this has more of a tangible effect on people.  Whether its the Post Office employees who have to handle it, or the people who have to sift through it in their mail in order to find the items that they really want. Or do you think it’s more disruptive and time consuming to have to hit the delete button?  I don’t think so.  

    Do you know what the difference is?  

    Do you?

    It’s that for every piece of junk mail that is sent, the government gets paid in postage.  

    Again, I guess it’s just a matter of priorities.

  31. Anonymous says:

    Sounds good to me. But I’m glad someone is being proactive in putting a stop to this…

  32. moonwalker says:

    Hi,

    I am developing a program in VB6 that uses the IE6/7 web browser control. I use the status bar as a way to communicate between dynamically created content displayed in the embedded browser and the rest of my app. I think it is wrong for IE7 to outright disable scripting of the status bar messages by the default security settings.

    VB6 programs should be able to receive StatusTextChange events from custom javascript window.status messages on content hosted in the IE7 browser control. That is how it was in IE6.

    Why not just make the visual status bar in IE7 hide "DISPLAY" of scripted status bar messages in order to discourge phishing for the default.

    I only need the scripted status message to hit the browser control’s StatusTextChange event…I do not care how long the message is displayed or if it is show at all!