Jeffrey Brett Goodin has become the first person convicted by a jury for launching a phishing attack aimed at America Online (AOL) users. He faces more than 100 years in prison following the decision under the CAN SPAM Act late last week in Los Angeles.
In addition to the CAN-SPAM Act charges, Goodin was found guilty of 10 other counts, including wire fraud, aiding and abetting the unauthorized use of a credit card, possession of more than 15 unauthorized credit cards, misuse of the AOL trademark, attempted witness harassment and failure to appear in court.
The jury found that Goodin operated an Internet-based scheme to trick people into believing they were providing information to a legitimate business.
The 45-year-old from Azusa, Calif., used several compromised Earthlink accounts to direct his attack at AOL users, sending them what appeared to be e-mails from AOL’s billing department. The e-mails told users they needed to update their accounts with personal and financial information in order to keep their accounts active.
Users were directed to Web sites controlled by Goodin, where they were asked to update their credit card information. Goodin used the card data they entered to make unauthorized charges against AOL users’ debit and credit cards.
The conviction is something of a victory for the CAN SPAM Act, which has been criticized as ineffective to stop the deluge of spam. Passed by Congress in 2003, the act established the first national standards for the sending of commercial e-mail. The law permits e-mail marketers to send unsolicited commercial e-mail as long as the message contains an opt-out mechanism, a functioning return e-mail address, a valid subject line indicating it is an advertisement and the legitimate physical address of the mailer.
Sentencing is scheduled for June 11.