The white knight of phish-busting

Gary Warner corrals private citizens, law enforcement to take down phishing sites

Until just a few months ago, Gary Warner did not have the kind of day job you'd expect from an antiphishing crusader. He didn't work for a security vendor or a bank, or any kind of company you'd expect to care about phishing.

Warner's career as a cyber-sleuth began on Halloween 2000. That's when his company's Web site was defaced by a hacker named Pimpshiz as part of a pro-Napster Internet graffiti campaign.

"My boss came to me and said, 'Find out who did this and put them in jail,'" said Warner, who was at the time an IT staffer with Energen, a Birmingham, Alabama oil and gas company.

It was an eye-opening experience. "I called the police and they were like, 'What do you want us to do?'" he said.

Months later, when Pimpshiz struck servers at NASA, Warner reached out, calling staff there and saying "Hey, we know who this guy is. Here's his name and address."

Since then, Warner has quietly become one of the most-respected authorities on phishing in the U.S. -- the kind of guy that federal agents and banking IT staff call when they want to know how to catch the bad guys and shut down their credit-card-stealing Web sites.

With Warner's help, authorities eventually arrested Pimpshiz, whose real name is Robert Lyttle, in connection with the hacks.

Fishing for Phishers

Warner said that the Pimpshiz case was formative, underlining how hard it is for law enforcement to catch the bad guys on the Internet.

"The experience showed me that it's not that they don't care," Warner said. "Their hands are tied by the legal process."

Soon, Warner found himself spending dozens of hours each week compiling data on spammers and phishing attacks. "I would sit for a couple of hours every morning and find all the new phishing sites that I could," he said.

He'd take screenshots of the sites, e-mail the Webmasters who were hosting them and ask them for Web logs, and eventually he started making connections -- he'd connect one phishing group with several different attacks -- and learn who he needed to call to get Web sites removed, no matter where in the world they were hosted.

He'd get calls from IT staff at small credit unions asking for help taking down fraudulent sites, every day, all day long. It was cutting in on his work. Late last year, he decided to make a change. "I went to my boss and told him that I'm going to look for a way to do this full time."

Helping the Feds Crack Down on Online Fraud

In July, with recommendations from FBI and Secret Service agents, Warner took a job as Director of Research in Computer Forensics with the University of Alabama at Birmingham (UAB).

He also began working with law enforcement, not only educating FBI and Secret Service agents on how crimes were committed, but also helping to track down the criminals and helping with take-downs.

"He's an outstanding resource for the FBI," said Dale Miskell, supervisory special agent with the FBI's Birmingham Cyber Crime unit, who has worked with Warner since 2005.

Miskell said Warner has helped the FBI with investigations and taught staff about his antiphishing techniques.

"He could be a multimillionare by his skillsets... he's a very gifted speaker, he can talk to the techies, and then he can turn around and talk to the non-techies and everyone will understand."

Warner is now focusing on fighting cyber-crime full-time and on training a new generation of network forensics investigators. "You wouldn't believe the looks on their eyes the first time they got an e-mail back from a Webmaster saying, 'Thanks for letting me know. I just shut that down.'"

When he spoke with IDG News, it was five days after final exams at the University of Alabama at Birmingham and though it would have no effect on their marks, four students were still coming into the labs to help shut down phishers.

"That idea that as a private citizen, you can help, that's the kind of thing we're trying to inspire," he said.

The Future of Phish-busting

At the University, Warner is building up a 256-node supercomputer which could eventually become the largest collection of spam email on the planet, processing as many as 100 million email messages per day and providing researchers and law enforcement with valuable analysis data.

For Warner, the work isn't so much a job, as it is his moral responsibility as a computer scientist. "One of the things that really bothered me from the very beginning was people who were using my field to attack other people," he said. "The way I see it, this is our Internet. I'm going to stand at the end of my driveway and protect what's mine."

He says that his anti-phishing work hardly feels like work at all. "This is what I like to do," he said. "It's cheaper than golf, and you can do it when the weather's bad."

What You Can Do to Protect Yourself

"The best people that help law enforcement have no motive other than to catch the bad guy," said one law enforcement official who declined to be identified because he hadn't been authorized to speak with the press.

But even if you're not a cyber sleuth, if you get hit by a computer criminal there are some things you can do to help police catch the criminal. What you should do depends a little bit on the crime. If you're the victim of identity theft, it's worth filing a report with state and local police so that you have a record of the crime.

That comes in handy later, in case you need to prove that it was the thief, and not you, that incurred any subsequent charges. Another good place to stop is the Federal Trade Commission (FTC) site, which has a variety of tools to help identity theft victims get organized and set their credit back on track. And if things get really bad, the Social Security Administration can help you, too. This site has instructions on how to report social security fraud and get a new social security number.

You can file a report with the FTC, but if you want your data to be used to catch the bad guys, the Internet Crime Complaint Center (IC3) is a better bet. Run in part by the FBI, the IC3 data is used regularly by law enforcement to link together large schemes. The more factual data you can report about your crime, the more useful it will be to police. Sometimes a single fax number or eBay ID can help crack open an entire case.

The FBI is most interested in crimes that involve malicious software, phishing, and child pornography. Spam and auction fraud get a lower priority and, worse, if you're the victim of an auction fraud, the odds of you ever getting your money back are very low.

Still, if you're rigorous about documenting the crime, and you fill out that IC3 complaint, you just may be helping to bring down your criminal -- some day.