The Federal Trade Commission settled charges against two operators of
copycat Web sites involved in “phishing” expeditions for consumers’
confidential financial information.
The FTC charged Zachary Keith Hill and an unnamed minor with violating the FTC rule against unfair
and deceptive practices and the Gramm-Leach-Bliley Act, which bars using
false or fictitious statements to obtain consumers’ financial information.
The Department of Justice Criminal Division’s Computer Crimes and
Intellectual Property Section, the FBI’s Washington
Field Office, and the U.S. Attorney for the Eastern District of
Virginia’s Computer Hacking and Intellectual Property Squad teamed up with
the FTC to bring the two to justice.
The defendants agreed to settle two separate FTC
charges, with Hill also facing a possible 46-month jail term for related
criminal charges filed by the U.S. Attorney General.
According to the FTC, the two con artists sent consumers e-mail messages
purporting to be from AOL and PayPal, saying that there had been a problem
with the billing of their accounts. The e-mail warned consumers that if they
did not update their billing information, they risked losing their accounts.
In one scheme, recipients were asked to click on a link to connect to the
“AOL Billing Center.” When consumers clicked on the link, they landed on the phishing site: a
Web page with AOL’s logo, AOLs type style, AOL’s colors, and links to real
AOL Web pages. But the page funneled any information the user entered into
the perps’ database instead of AOL’s. A similar scam used the hijacked
identity of PayPal, the person-to-person payment platform owned by eBay.
Phishers often “flip” the personal information they obtain and resell it to
other criminals, according to Bart Lazar, a partner in the law firm of
Seyfarth Shaw, which specializes in the misuse of technology. Or they may use
the credit card numbers to establish new lines of credit, which they quickly
max out. “Credit card companies are eager to let you pay off other
companies’ credit cards or transfer balances,” he said.
Phishers are remarkably hard to trace, Lazar continued. “They utilize their
own fake names, anonymous service providers, and some go outside the United
States,” he said. Phishers rapidly switch computers, IP addresses and
locations, and they take advantage of unprotected access points on the
Internet. Investigators must work with ISPs to laboriously search through
records to narrow down suspects from lists of all users who were online at
the time of the attack, he added.
Evidently, for these fraudsters, the crime of phishing did not pay. The
$125,000 judgments levied individually were stayed after the feds saw from
the defendants’ financial records that they didn’t have the money.