The United States Attorney’s Office in Iowa yesterday said that Jayson Harris, 23, of Davenport, Iowa, pled guilty on Dec. 30 to computer fraud charges arising from a phishing scheme conducted from January 2003 through June 2004 on Microsoft's MSN Internet service.
"This was a phishing attack that targeted MSN customers with a fake MSN billing E-mail and advised them that they needed to update their information, their credit card number, in order to continue to enjoy their MSN experience and keep their account active," says Aaron Kornblum, Microsoft’s Internet Safety Enforcement Attorney.
The phishing E-mail falsely claimed that MSN customers would receive a 50% credit toward their next bill.
Kornblum says the scheme was fairly sophisticated and involved Web hosts in California and Austria, and an Internet-service provider in India. The investigation began in September 2003 when a woman forwarded one of Harris' phishing messages to her son-in-law, a Microsoft employee. A month later, Microsoft filed a civil suit against Harris.
"After we did some initial investigation here, we were able to file a civil lawsuit and through the issuance of subpoenas learn quite a bit about who was responsible, and then transmitted all of this information to the FBI for pursuit and follow-through," Kornblum explains. "I think that the guilty plea is evidence of the strength of the government's case against Mr. Harris and demonstrates the government's commitment to aggressively pursue these cases."
According to Kornblum, this was first phishing case Microsoft pursued. Since then, the company's Internet Safety Enforcement team, comprised of 65 people worldwide, has filed 121 phishing-related lawsuits.
The scheme, which duped between 50 and 250 victims, netted Harris about $57,000. But between the fraud and wire fraud charges, it could cost him substantially more than that.
For wire fraud, Harris faces punishment of not more than 20 years imprisonment, a maximum fine of not more than $250,000, or both. If the crime affected a financial institution, he could face up to 30 years imprisonment, a fine of not more than $1,000,000, or both. Finally, the fraud charge could result in up to 10 years imprisonment, a fine of not more than $250,000, or both.
A court sentencing conference is currently scheduled for March 30.