IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

22 July 2003

Federal Trade Commission Settles Identity Theft Case

Internet scammer posed as America Online

The Federal Trade Commission (FTC) announced July 21 that it will settle charges against an individual who the agency says devised an online scheme to deceive customers into providing private financial information.

The FTC calls this sort of online fraud "phishing," and it violates U.S. law. In this case, the agency alleges that the individual -- an underage, unidentified minor -- sent e-mail to customers of the widely used Internet service provider America Online (AOL). The e-mail advised the customers that AOL needed to update payment information, and directed them to use a hyperlink to reach a Web page. When the customers followed the hyperlink, they were directed not to an AOL page, but one mocked up, using AOL logo and graphics. Customers thought they were conducting an online transaction with their Internet service provider, the FTC alleges, but they were actually giving private credit card numbers to the scammer.

"Phishing is a two time scam," said Timothy J. Muris, chairman of the FTC. "Phishers first steal a company's identity and then use it to victimize consumers by stealing their credit identities. This is the FTC's first law enforcement action targeting phishing. It won't be the last."

An FTC press release says the individual has agreed to a settlement in which he is forever barred from sending spam e-mail, and will sacrifice the $3,500 falsely obtained in the scheme. Spam refers to flooding the Internet with many copies of the same message in an attempt to force the message on people who would not otherwise choose to receive it. Most spam is commercial advertising, often for dubious products.

The FTC offers a publication entitled "How Not to Get Hooked by a Phishing Scam" available at http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm

The following is the text of the FTC press release:

(begin text)

FEDERAL TRADE COMMISSION
July 21, 2003

Identity Thief Goes "Phishing" for Consumers' Credit Information

An identity thief who allegedly used hijacked corporate logos and deceptive spam to con consumers out of credit card numbers and other financial data has agreed to settle Federal Trade Commission charges that his scam violated federal laws. If approved by the court, the defendant, a minor, will be barred for life from sending spam and will give up his ill-gotten gains.

The FTC alleged that the scam, called "phishing," worked like this: posing as America Online, the con artist sent consumers e-mail messages claiming that there had been a problem with the billing of their AOL account. The e-mail warned consumers that if they didn't update their billing information, they risked losing their AOL accounts and Internet access. The message directed consumers to click on a hyperlink in the body of the e-mail to connect to the "AOL Billing Center." When consumers clicked on the link they landed on a site that contained AOL's logo, AOL's type style, AOL's colors, and links to real AOL Web pages. It appeared to be AOL's Billing Center. But it wasn't. The defendant had hijacked AOL's identity and was going to use it to steal consumers' identities, as well, the FTC alleged.

The defendant's AOL look-alike Web page directed consumers to enter the numbers from the credit card they had used to charge their AOL account. It then asked consumers to enter numbers from a new card to correct the problem. It also asked for consumers' names, mothers' maiden names, billing addresses, social security numbers, bank routing numbers, credit limits, personal identification numbers, and AOL screen names and passwords - the kind of data that would help the defendant plunder consumers' credit and debit card accounts and assume their identity online.

According to the FTC, the defendant used the information to charge online purchases and open accounts with PayPal. In addition, he used consumers' names and passwords to log on to AOL in their names and send more spam. Finally, he recruited others to participate in the scheme by convincing them to receive fraudulently obtained merchandise he had ordered for himself.

The agency charged the defendant's practices were deceptive and unfair, in violation of the FTC Act. In addition, the FTC alleged that the defendant's practices violated provisions of the Gramm-Leach-Bliley Act designed to protect the privacy of consumers' sensitive financial information.

"Phishing is a two time scam," said Timothy J. Muris, Chairman of the FTC. "Phishers first steal a company's identity and then use it to victimize consumers by stealing their credit identities. This is the FTC's first law enforcement action targeting phishing. It won't be the last."

The settlement would bar the defendant from future violations of the FTC Act and the Gramm-Leach- Bliley Act. It also would bar the defendant from sending spam in the future. In addition, the order would require the defendant to give up $3,500 in ill-gotten gains.

An FTC Consumer Alert, "How Not to Get Hooked by a 'Phishing' Scam" warns consumers who receive e-mail that claims an account will be shut down unless they reconfirm their billing information not to reply or click on the link in the e-mail. Consumers should contact the company that supposedly sent the message using a telephone number or Web site address they know to be genuine.

More tips to avoid phishing scams can be found at http://www.ftc.gov/bcp/conline/edcams/spam/coninfo.htm

The Commission vote to authorize staff to file the complaint and stipulated final judgment and order was 5-0. It will be filed in the U.S. District Court for the Central District of California in Los Angeles and is subject to court approval.

This case was brought with the invaluable assistance of the Department of Justice Criminal Division's Computer Crimes and Intellectual Property Section, Federal Bureau of Investigation's Washington Field Office, and United States Attorney for the Eastern District of Virginia's Computer Hacking and Intellectual Property Squad, the United States Postal Inspectors and the Los Angeles District Attorney's High Technology Crimes Unit.

NOTE: Stipulated final judgments and orders are for settlement purposes only and do not constitute an admission by the defendant of a law violation. Consent judgments have the force of law when signed by the judge.

Copies of the complaint and stipulated final judgment and order for permanent injunction are available from the FTC's Web site at http://www.ftc.gov and also from the FTC's Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint, or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1 877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

(end text)

(Distributed by the Bureau of International Information Programs, U.S. Department of State. Web site: http://usinfo.state.gov)