Vigilante Hero Downloads Phisher's Data Files and Informs Victims Via US Mail

John Porter is like an internet Batman. After receiving a phishing email supposedly from Bank of America, John decided to investigate. The phisher’s trail eventually led John to a hijacked zombie PC in Canada. There he found the phisher’s data files—addresses, logins, social security numbers and other sensitive information belonging to dozens of victims. What should John do? From an email John sent the Privacy Rights Clearing House:

“So that left me in a moral dilemma. In effect, I was witnessing some bad stuff happening in real time. …. What to do? I downloaded the latest version of the harvested data and pondered.

I had already alerted BofA and the owners of the domains. The harvested data file contained no email addresses, so I couldn’t alert the people downloading data by email. I couldn’t delete or alter the source files or the data file.

I finally decided to simply write letters to all the people who had been duped into entering their street address, informing them of the scam and advising them to do all the sensible things necessary after your identity has been stolen.”

The phishers had successfully harvested information from 40 people in three days, so John has his work cut out for him. As recently as 2/7/07 John followed the trail of an Ebay phishing email and found over 100 logins and passwords. John has written a report of his findings, which is available on his website. If you suspect that you may have fallen for a phishing email, take ID theft measures immediately. The FTC has information about what to do. As for John, we hope he keeps up the good work, but it’s too large a task for one vigilante hero. Help him out by not biting the end of the phisher’s line.—MEGHANN MARCO

A Cautionary Phish Tale [via CL&P]

Comments

Edit Your Comment

  1. bluegus32 says:

    Truly a heartwarming story. Course, the sad thing is that the phisher is not caught. How sad that people still get caught up in this scam.

  2. Scazza says:

    Incredibly honorable. In an age of internet retardism and constant threats to security, it is fantastic to hear of someone to not only try to be helpful, but go the extra mile and write to the victims physically. Awesome.

  3. pestie says:

    In the spirit of “no good deed goes unpunished,” I give this a week before some prosecutor decides to go after this guy for some technical violation of the law, like being in possession of stolen identity information or “hacking” an already-compromised PC to get the information. Seriously, if I were in his position, I’d almost certainly have kept my mouth shut, or at most notified these people anonymously.

  4. Thats why Bruce Wayne had to keep his Batman persona anon. So the police wouldnt rough him up for breaking the law.

  5. kimli says:

    My hero! Someone should give him a medal (and immunity from prosecution). I can only hope that the geniuses who fell for the spoof emails appreciate what he’s doing for them.

  6. Grrrrrrr, now with two buns made of bacon. says:

    John, I’m writing you in for the next president.

  7. BotchedJoke says:

    John, you are one good soul!

  8. chameleonz says:

    Good man.
    Please educate more people about this.
    I received a few of these BoA emails and contacted the bank via email and phone so far no response.

  9. Cal says:

    It sounds like he’s writing the addresses in by hand. What ever happened to mail merge?

  10. Kryndis says:

    This reminds me of the Identity Angel program I read about a while back. Basically it was supposed to be a server that would automatically sift through the WWW looking for personal information. When it gathered enough on a single person to make ID theft possible it would contact them with a warning that they were in danger. Haven’t heard anything about it for a while now though, I hope it’s still being developed. (Not sure if linking is allowed here so I’ll just say to do a Google search for “Identity Angel” and the first link is a short abstract on the idea.)

    Also, I hate to say it but John has almost certainly broken the law. The law prevents you from using someone else’s computer resources without their knowledge and permission, even if those resources are openly available. I realize that may sound silly at first given the guy’s computer had already been compromised, but keep in mind these are the same laws that protect you from your moronic neighbor who uses your unprotected wireless connection to commit illegal acts.

    Lastly, while I know it’s popular to side with the vigilante on these sorts of things, vigilantism rarely works outside of westerns and comic books. In the real world of our modern legal system it makes prosecution much more difficult. In this case it looks like his snooping around clued the hacker into the fact that he had been compromised and he covered his tracks and left. That’s why we’re seeing some hacker’s signature instead of a 404 error page that would indicate the computer’s been isolated and is being investigated.

    The proper course of action here would have been to go as far as the phisher login page. Don’t go snooping as it will show up in the web server’s logs. Notify both the FBI and the police department with jurisdiction over the zombie PC of all the information you know. The FBI could have had the PC in Philadelphia at the beginning of the script chain taken down (effectively blocking further access by potential victims), while the Canadian police could have done the same to the PC running the data collection site (at the same time isolating it to preserve any evidence). And both of these organizations work weekends. I know John had good intentions and was trying to do what he thought was right, but you know what they say about a certain road and its paving materials.

  11. shoegazer says:

    Well, he did notify BofA both on their website and their email hotlines. I applaud this man for taking the time to personally contact the victims, even though he didn’t need to.

    I’m sure contacting the FBI / police would have been fine in HollywoodHackerLand where police and law enforcement’s TOP PRIORITY is catching these devious cybercrookz. But in real life? I’m sure the phisher would have already compromised several more accounts and nuked a few credit histories by the time the FBI get off their ass. Note his timestamps showed 43 accounts compromised in just 48 hours. Also who’s to say they won’t go arrest John anyway if they found a dry trail?

    Yes he’s broken the law, and maybe there’s a little ego involved in him putting up the site, but he’s still done something good, and perhaps even saved a few people’s (fiscal) lives.

  12. kimsama says:

    Contacting the police or other authorities would have probably done nothing in this case, anyway. I agree with Shoegazer — by the time they did anything, it would have been an exercise in futility.

    And I’m not sure that what John did should be illegal — after all, he functioned as a sort of eyewitness to the crime; yes, he did some tracking and saw who’s identity was compromised, but isn’t that analogous to, say, being an eyewitness to, say, shoplifting? If you see it happening, and confirm the perpetrator’s trail before you tell the victim (shop), is that a crime? How is just being able to look this stuff up online a crime? Bad analogy, I know, but maybe our antiquated laws can’t apply to this new type of crime (I know our antiquated authorities can’t).

  13. The Bigger Unit says:

    I’m sorry, but when will people stop clicking on phishing emails? People HAVE to learn to go to *directly* to the website if something has been “compromised” (i.e. PayPal or banking account).

    (1) These companies won’t ask you to login via email
    (2) Login via the actual website, not some link in an email
    (3) Secure websites will have ‘https://’ in the address

    Just knowing those two small things could save a lot of people! I realize I sound unsympathetic, but people need to learn these basic things if they’re going to use the internet for any type of commerce.

  14. Pelagius says:

    Another nominee for Consumerist Hero of the Year!

  15. mrwilson says:

    Just a quick note about the people who are (still) fooled by phishing emails like this. First, The Nature Boy’s comment – that if you’re going to use the internet, you really need to learn how not to fall prey to a basic phishing scam – is undeniable. But it is easy for people of a particular demographic – the one that I’d bet money most of us reading the Consumerist share – to say that. For those of us in that demographic – under 35, say, and who use the internet all the time, for our jobs, for shopping, for communicating, etc., and who have been doing so for a long time, we’ve picked up lots of internet knowledge over the years that now seems to us to be completely obvious – so obvious that we sometimes assert that anyone without such knowledge is an idiot.

    But these people aren’t idiots, at least not most of them, which is part of John Porter’s point – that the people who were fooled here seemed to him to be completely normal, not at all some sort of stereotypical toothless halfwit yokel types that some of us might expect the victims of such a scam to be. They are simply (most likely) inexperienced in using the internet. But because the internet is becoming more and more indispensible to more and more aspects of life – including banking, as here – inexperienced persons continue to be added to the number of those who use it.

    So reasonably intelligent, normal, but inexperienced people continue to be taken in by scams like this. Certainly it is the job of every consumer to make himself or herself aware of these issues, but I would think that online commerce sites like banks might want to take an even more active role in trying to assist their customers in avoiding things like this.

  16. popeye_doyle says:

    If he can do this, why don’t BofA, paypal, etc., do it for their customers who are constantly being fished?

  17. ManiacDan says:

    I have been in the same position as John before, and I have to say: I would never contact any compromised people again. I found a phishing email in my inbox one day. Being bored, and being still in college, I managed to track down the file with all the compromised data in it. Credit card numbers, home addresses and phone numbers, and email addresses.

    My first step was to track down the culprits. Through a variety of reverse-lookups and a couple lucky breaks, I managed to identify the name and home address of a man in Russia whom I was 95% certain was behind the attacks. I contacted the US FBI, my state attorney general, and the digital crimes division of Homeland Security (or whatever it was called at the time). No one seemed to care except for the Swedish ISP he was using to steal the numbers. Despite the language barrier and the fact that it was 3:30 in the morning in Sweden, the admin of that server responded in less than 45 minutes and had shut down the phishing server. The various government bodies I contacted never got back to me.

    I composed a very well thought-out email warning the people that their data has been compromised. I told them the steps to take to protect their identity, and even how to recognize phishing attempts in the future. Roughly 60% of the people I contacted responded by accusing me of stealing their identity. I was also visited by a number of federal agents investigating my theft of their data. Once I informed them that I did not, in fact, steal the data and I was not in possession of any data, they left. I tried to get them to stay, since I had the street address of the true criminal. Since he was in another country, they didn’t seem to care.

    Anyway, my recommendation to everyone is, don’t tell anyone when you discover this kind of information. Search it real quick for yourself, your family, and your friends, then leave it alone. The mere DISCOVERY of information like this is technically illegal, so don’t tell anyone you’ve done it. It’s a sad thing to do, but other people spending 100+ hours fixing their credit is better than me spending 10+ years in jail for trying to help.