Mystery still surrounds the identity of the perpetrator of a recent Yahoo credit-card scam, but a group of Net sleuths have tracked down a 13-year-old New Jersey boy who might be at the heart of the case.
In the Yahoo scam, users were informed by email that they had won a free US Robotics 56Kbps modem. All they had to do to claim it was reply with their credit-card number. Officials at Yahoo say "fewer than a hundred" people took the bait.
Then members of the inet-access mailing list received an identical message. They formed a posse that quickly detected the inet spammer's tracks.
"It wasn't just me, but I probably came up with the piece of it that made all the difference," said Chuck Mead, director of Internet operations at ci2.net and one of the trackers who exposed the scammer's identity.
Mead found the suspected perp through his repeated use of the same user ID, 'vrchvr' - homage to "Verse Chorus Verse," a Nirvana song.
"We could see that he likes that user ID 'vrchvr,'" Mead said. "And we knew also where it came from, because you could look at that email and see that he was coming in through monmouth.com."
The original spam sent last week claimed to be from Yahoo, and gave a return address of "contest_winner@yahoo.com." The newer spam listed the domain of the return address as "dark-empire.com." The email header showed that the message was actually sent from the account "db@tr-max-ppp36.monmouth.com."
Mead checked out the dark-empire.com Web site and found a manifesto, which said in part, "Welcome to Dark Empire, a group made to do mischief and anything else we feel like doing. God put us here for one sole reason, to have fun and do what we feel like. On the internet there are no rules, no laws.... Let me just say Warez, Carding, Shells, and Hacking are welcomed."
At the bottom of the page was a link to the author's email address, "vrchvr@usa.net." But viewing the HTML source of the page revealed even more - the author's apparent real name.
The page had been created with Netscape Gold, which automatically inserts certain information into seemingly invisible meta tags when you use it to create an HTML document. That information includes the author's name, which in this case had the same initials as the address from which the spam had been physically sent - DB.
Mead then checked monmouth.com for a user with those initials, and found one; in the HTML source of that Web page was the same real name. It turned out, Mead said, that this name corresponded all over the Net with the 'vrchvr' email address. His physical address was in Howell, New Jersey.
When notified of this user's illegal spam activity, both Monmouth Internet and Seagull Networks - host of the dark-empire.com Web site - immediately shut down the user's accounts.
"I pulled the plug on the site last night, after I started receiving email from people complaining that this guy was up to no good," said Paul Celestin, president of Celestin Company Inc., which operates Seagull Networks. "When I went to visit the site, I couldn't believe his 'manifesto' on doing basically anything he wanted to do on the Internet. That'll teach me to be more careful about checking customer sites every once in a while."
For their part, the parents of the boy said they were shocked to hear that their son was being implicated as the perpetrator of online credit-card fraud.
"My son is 13 years old," his mother said in an interview Thursday. "It looks like somebody is trying to get him involved in something."
Yahoo, meanwhile, is continuing its investigation, though it's unclear whether the mail sent to the inet list was simply a case of the New Jersey teen copying the Yahoo spam or if he was also behind the original.
"We've involved the appropriate authorities and are working with them regarding prosecuting this person. We're not disclosing where we are in that investigation, or what methods we're using," said Yahoo Mail's Katie Burke.
