The first person convicted under the Can-Spam Act of 2003 faces up to 101 years of jail time after a California jury found him guilty of multiple crimes. Jeffrey Brett Goodin was convicted in the U.S. District Court for the Central District of California in Los Angeles, according to the U.S. Attorney's Office.
Arrested last year, Goodin had been running a sophisticated phishing operation in which he posed as a member of AOL's billing department and tricked users into divulging their credit card information.
To run the scheme, Goodin used several compromised Earthlink accounts and set up fake Web sites that mimicked legitimate AOL pages. Like other phishers, Goodin used good old fashioned fear-mongering and official-looking threats to scare people into giving out the data.
Users that fell prey to the scam would submit personal details including credit card numbers, addresses, and passwords, believing that failing to do so would result in suspension of their Internet accounts.
Once Goodin had users' credit card data, he used the numbers to make purchases online, although the U.S. Attorney's Office did not detail what he bought or release info on how much money he made as a result of the scam.
The jury found Goodin guilty not only of the Can-Spam infringement, but also of 10 other counts, including misuse of the AOL trademark, witness harassment, failure to appear in court, wire fraud, and aiding and abetting the unauthorized use of credit cards.
Sentencing for the convictions will be handed down on June 11, with the maximum jail time topping out at 101 years in federal prison.
The case was investigated by the Ontario Police Department and the Electronic Crimes Task Force, which consists of agents from the FBI and the U.S. Secret Service.
In the past, the Can-Spam Act has drawn criticism for allowing certain concessions to online marketers. Proponents of tougher laws had hoped the 2003 legislation would have more restrictions, particularly in the area of phishing.
But the Act can be seen as a starting point, said John Mozena, spokesperson for the Coalition Against Unsolicited Commercial Email (CAUCE).
"The killer app for stopping phishing won't be technology; it'll be legislation," he said. "Arrests could have some deterrent effect, if they're common enough. Anything is better than nothing."
But it is likely that even with widespread arrests and jail time, the problem will only be minimized, not eliminated, Mozena noted. Phishing is particularly tricky because it usually involves several countries and multiple tactics, and tracking down perpetrators can take years.
"Fundamentally, with phishing and spam, it comes down to human beings that are trying to make money," he said. "If someone thinks they can steal through phishing and not get caught, they'll be very tempted to do it." Source