Washington ? The illicit haul arrived each day by e-mail, the personal details of computer users tricked by an Internet thief: a victim’s name, credit card number, date of birth, Social Security number, mother’s maiden name.

One more Internet “phishing” scam was operating. But this time, private sleuths soon were hot on the electronic trail of a thief whose online alias indicated an affinity for the dark side. The case moved ahead in part because of an underground tipster and the thief’s penchant for repeatedly using the same two passwords – “syerwerz” and “r00tm3.”

It offers an extraordinary glimpse behind an Internet fraud that targets the most trusting computer users.

“This is really lousy,” said Johan Fabris of Holmes, Pa. The 82-year-old grandmother had her online bank account hijacked. Her teenage grandson set up the account for her to sell hand-sewn doll clothes in Internet auctions.

“This was my first foray into the modern computer world,” Fabris said.

More than 14,000 schemes

In such phishing scams, victims are fooled by realistic-looking e-mails that appear to come from banks or other financial institutions. The urgent-looking messages direct recipients to verify their accounts by typing personal details – credit card information, for example – into a Web site disguised to appear legitimate.

Dan Clements, CEO of Cardcops.com, displays his company's Web site from his office in Los Angeles. CardCops monitors Internet chat rooms and other hacker communications for stolen credit card numbers, then notifies merchants and consumers to block bad purchases.

Despite warnings from the government, banks and security experts, consumers fall victim with disturbing frequency.

One industry organization, the Anti-Phishing Working Group, estimated that thieves collectively launch more than 14,000 such schemes monthly and that about 5 percent of computer users respond to the fraudulent messages.

“They make it look completely real,” said Jennifer Phillips, 25, of Martinsville, Ill. She was tricked into disclosing her card number, mother’s maiden name, bank routing number and more.

‘Den of treasure’

Internet sleuths from CardCops Inc. of Malibu, Calif., uncovered the latest plot.

A tipster pointed them to the thief’s e-mail account and gave up the thief’s favorite passwords, which the thief previously had shared with the informant, chief executive Dan Clements said.

CardCops monitors Internet chat rooms and other hacker communications for stolen credit card numbers, then notifies merchants and consumers to block bad purchases.

Clements said he logged into the thief’s account – despite concerns this could be illegal – and found what he described as a “den of treasure” for identity crooks.

Clements said he discovered copies of victims’ financial information plus tantalizing clues to the thief’s real identity. They included an invoice for two Gamecube video games purchased with a stolen credit card and delivered to a family’s home in Quebec, plus evidence the thief had tested his schemes using a high-speed Internet connection traced to a home computer in Canada.

“I’m so furious,” said Cindy Brenneke of Sunnyvale, Calif., whose Bank of America credit card was used to buy the games.

She had been similarly tricked into disclosing her card number. “It was total stupidity,” she said. Brenneke said roughly $4,000 in charges were run up within days of her mistake.

‘Self-help vigilantes’

The person listed on the invoice as receiving the games in Quebec denied any involvement in Internet fraud, telling The Associated Press in an interview he did nothing wrong.

But after the interview, the e-mail inbox used for the purchases was mysteriously emptied and the password changed, said Clements, who said he kept copies of everything he found.

The fraud illustrates the conflict between quickly warning potential victims and preserving evidence for police to investigate. Clements said he immediately notified each consumer whose information he found in the inbox and later reported the findings to police before the AP called the home in Quebec.

Clements said he was unconcerned about the legal risks of reading the thief’s e-mails, even though a former Justice Department lawyer said it could land Clements in trouble.

“Law enforcement can’t allow self-help vigilantes to go around and do this,” said Marc Zwillinger, a former cybercrimes prosecutor.

In the Canadian-based scheme, messages were routed through a computer in Macedonia. Official-looking e-mails were sent randomly on Aug. 23 directing computer users to visit a Web page and confirm details about their bank accounts. The counterfeit e-mails reassured would-be victims “this security measure will protect our customers from account thefts and any other fraudulent activities.”

But the Web page did not belong to any bank.

In Illinois, Jennifer Phillips canceled her compromised credit account and is now more suspicious. But she is under no illusion that what happened to her was an isolated case.

In the days after discovering she had been tricked, Phillips said she received two more e-mails pressing her to verify her bank account online.

This time, she deleted them.