Big Bait Sinks Alleged Phisher

By Joseph Menn

Aug. 25, 2005 12 AM PT

Times Staff Writer

Jayson Lucas Harris allegedly picked the wrong fight.

The 22-year-old Iowa man pleaded not guilty Wednesday to charges of scamming computer users with fake e-mail notices from Microsoft Corp. Authorities said his scheme backfired when the software powerhouse contributed the legal legwork that led to his arrest.

Harris was charged with 75 counts of wire fraud in a rare prosecution for such so-called phishing scams, which use fake e-mails to trick recipients into entering credit card numbers or other personal information.

Fewer than a dozen people are arrested annually in the U.S. for the increasingly sophisticated attacks, which target millions of Internet users weekly, said U.S. Atty. Matthew Whitaker, who is prosecuting the case.

For 1 1/2 years, Harris warned users of Microsoft’s MSN Internet access service that their billing data had been lost, according to an indictment unsealed Monday in Des Moines and related legal documents. The messages were addressed “Dear MSN Customer” and appeared to be from “billing@msn.com.”

A link in the e-mails took an unknown number of recipients to a fake Microsoft page, at which they were asked to reenter credit card and other information. One such e-mail went to the mother-in-law of a Microsoft employee, who passed it on to the Redmond, Wash.-based company’s lawyers.

“Upon seeing it, we wanted to jump on it,” said Tim Cranton, Microsoft’s director of Internet safety enforcement.

The company filed suit in October 2003 against a “John Doe,” a step that allowed it to subpoena identifying information from Internet service providers and companies hosting the website. The case was the first of more than 100 brought by Microsoft against suspected phishers.

Cranton said Microsoft’s efforts against Harris easily could have come up empty. Like criminal prosecutions, most phishing suits founder because perpetrators cloak their identities too well or because they live in countries where their conduct isn’t considered illegal or is a low priority for law enforcement.

Harris nearly escaped as well, Cranton said, because his electronic trail led to a service provider in Austria, which was under no obligation to help Microsoft. But it turned out that company was run by someone who hated phishers. He gave Microsoft customer data that included a U.S. connection.

When Microsoft caught up with Harris, he was living with his grandfather and working at a local Blockbuster video store.

“The amount of the losses is in the tens of thousands,” prosecutor Whitaker said.

A trial was set for October.

Harris’ public defender didn’t return a call seeking comment.