March 22, 2004
The Federal Trade Commission and the Department of Justice have shut down a spam operation that hijacked logos from AOL and Paypal to con hundreds of consumers into providing credit card and bank account numbers.
At the request of the FTC, a U.S. District Court ordered the defendant to halt his identity theft scam, known as phishing. The Justice Department obtained a criminal conviction and the defendant is awaiting sentencing.
The scam worked like this: Consumers received e-mail that appeared to come from America Online or Paypal. The from line identified the sender as billing center, or account department and the subject line carried warnings such as AOL Billing Error Please Read Enclosed Email, and Please Update Account Information Urgent!
The text of the message contained a warning that if the consumers did not respond to the e-mail, their account would be cancelled. Some of the spam said, . . . we have to ask all our members for updated/correct billing information. Please be advised that this is mandatory. If we do not get your updated billing information, your account will be revoked and put under review and may be cancelled.
A hyperlink in the e-mail took consumers to what appeared to be the AOL Billing Center, with AOLs logo and live links to real AOL Web pages. But the copy-cat Web page belonged to the defendant. The defendant asked consumers to provide information such as their names and mothers maiden names, billing addresses, Social Security numbers, dates of birth, bank account numbers, and bank routing numbers. The defendant also asked consumers to provide their AOL screen names and passwords.
The FTC alleges that the defendant used the information that consumers submitted to establish new credit card accounts and to make unauthorized changes such as changing the address on existing credit accounts. According to the FTC, he placed orders and made purchases using the unwitting consumers credit information.
The Paypal scheme worked in a similar way, with the defendant using the Paypal passwords that consumers provided to access consumers Paypal accounts and to purchase goods or services on their accounts.
Defendant Zachary Keith Hill of Houston, Texas was named in the FTC complaint and the DOJ criminal information filed in United States District Court for the Eastern District of Virginia, Alexandria Division.
The FTC charged that the acts and practices were deceptive and unfair, in violation of the FTC Act. In addition, the FTC alleged that the defendants practices violated provisions of the Gramm Leach-Bliley Act designed to protect the privacy of consumers sensitive financial information.
The Department of Justice has issued a special report on phishing that can be found at http://www.usdoj.gov/criminal/fraud.html.
