July 21, 2003
A teen-aged identity thief who allegedly used hijacked corporate logos and deceptive spam to con consumers out of credit card numbers and other financial data has agreed to settle Federal Trade Commission charges that his scam violated federal laws.
If the settlement is approved by the court, the defendant, who is not being identified because he is a minor, will be barred for life from sending spam and will give up his ill-gotten gains.
The FTC alleged that the scam, called phishing, worked like this: posing as America Online, the con artist sent consumers e-mail messages claiming that there had been a problem with the billing of their AOL account. The e-mail warned consumers that if they didnt update their billing information, they risked losing their AOL accounts and Internet access.
The message directed consumers to click on a hyperlink in the body of the e-mail to connect to the AOL Billing Center. When consumers clicked on the link they landed on a site that contained AOLs logo, AOLs type style, AOLs colors, and links to real AOL Web pages. It appeared to be AOLs Billing Center. But it wasnt. The defendant had hijacked AOLs identity and was going to use it to steal consumers identities, as well, the FTC alleged.
The defendants AOL look-alike Web page directed consumers to enter the numbers from the credit card they had used to charge their AOL account. It then asked consumers to enter numbers from a new card to correct the problem. It also asked for consumers names, mothers maiden names, billing addresses, social security numbers, bank routing numbers, credit limits, personal identification numbers, and AOL screen names and passwords - the kind of data that would help the defendant plunder consumers credit and debit card accounts and assume their identity online.
According to the FTC, the defendant used the information to charge online purchases and open accounts with PayPal. In addition, he used consumers names and passwords to log on to AOL in their names and send more spam. Finally, he recruited others to participate in the scheme by convincing them to receive fraudulently obtained merchandise he had ordered for himself.
Phishing is a two time scam, said Timothy J. Muris, Chairman of the FTC. Phishers first steal a companys identity and then use it to victimize consumers by stealing their credit identities. This is the FTCs first law enforcement action targeting phishing. It wont be the last.
