RealTime IT News

Twilight for the Phishermen

The Federal Trade Commission settled charges against two operators of copycat Web sites involved in "phishing" expeditions for consumers' confidential financial information.

The FTC charged Zachary Keith Hill and an unnamed minor with violating the FTC rule against unfair and deceptive practices and the Gramm-Leach-Bliley Act, which bars using false or fictitious statements to obtain consumers' financial information. The Department of Justice Criminal Division's Computer Crimes and Intellectual Property Section, the FBI's Washington Field Office, and the U.S. Attorney for the Eastern District of Virginia's Computer Hacking and Intellectual Property Squad teamed up with the FTC to bring the two to justice.

The defendants agreed to settle two separate FTC charges, with Hill also facing a possible 46-month jail term for related criminal charges filed by the U.S. Attorney General.

According to the FTC, the two con artists sent consumers e-mail messages purporting to be from AOL and PayPal, saying that there had been a problem with the billing of their accounts. The e-mail warned consumers that if they did not update their billing information, they risked losing their accounts.

In one scheme, recipients were asked to click on a link to connect to the "AOL Billing Center." When consumers clicked on the link, they landed on the phishing site: a Web page with AOL's logo, AOLs type style, AOL's colors, and links to real AOL Web pages. But the page funneled any information the user entered into the perps' database instead of AOL's. A similar scam used the hijacked identity of PayPal, the person-to-person payment platform owned by eBay.

Phishers often "flip" the personal information they obtain and resell it to other criminals, according to Bart Lazar, a partner in the law firm of Seyfarth Shaw, which specializes in the misuse of technology. Or they may use the credit card numbers to establish new lines of credit, which they quickly max out. "Credit card companies are eager to let you pay off other companies' credit cards or transfer balances," he said.

Phishers are remarkably hard to trace, Lazar continued. "They utilize their own fake names, anonymous service providers, and some go outside the United States," he said. Phishers rapidly switch computers, IP addresses and locations, and they take advantage of unprotected access points on the Internet. Investigators must work with ISPs to laboriously search through records to narrow down suspects from lists of all users who were online at the time of the attack, he added.

Evidently, for these fraudsters, the crime of phishing did not pay. The $125,000 judgments levied individually were stayed after the feds saw from the defendants' financial records that they didn't have the money.