John Porter is like an internet Batman. After receiving a phishing email supposedly from Bank of America, John decided to investigate. The phisher’s trail eventually led John to a hijacked zombie PC in Canada. There he found the phisher’s data files—addresses, logins, social security numbers and other sensitive information belonging to dozens of victims. What should John do? From an email John sent the Privacy Rights Clearing House:

“So that left me in a moral dilemma. In effect, I was witnessing some bad stuff happening in real time. …. What to do? I downloaded the latest version of the harvested data and pondered.

I had already alerted BofA and the owners of the domains. The harvested data file contained no email addresses, so I couldn’t alert the people downloading data by email. I couldn’t delete or alter the source files or the data file.

I finally decided to simply write letters to all the people who had been duped into entering their street address, informing them of the scam and advising them to do all the sensible things necessary after your identity has been stolen.”

The phishers had successfully harvested information from 40 people in three days, so John has his work cut out for him. As recently as 2/7/07 John followed the trail of an Ebay phishing email and found over 100 logins and passwords. John has written a report of his findings, which is available on his website. If you suspect that you may have fallen for a phishing email, take ID theft measures immediately. The FTC has information about what to do. As for John, we hope he keeps up the good work, but it’s too large a task for one vigilante hero. Help him out by not biting the end of the phisher’s line.—MEGHANN MARCO

A Cautionary Phish Tale [via CL&P]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.