A spam e-mail operation that sent out e-mails falsely claiming to be from PayPal or America Online Inc., tricking hundreds of consumers into entering their credit card, banking and user account information on fake PayPal and AOL Web sites, has been stopped by the U.S. Department of Justice and the Federal Trade Commission.
In a joint announcement yesterday, the two agencies said that Zachary Keith Hill of Houston has been ordered to halt the identity theft operation, which was the type of scam also known as phishing, while he awaits sentencing on federal criminal charges.
Each agency led its own probe into Hill's activities.
In a criminal case brought by the DOJ in U.S. District Court in the Southern District of Texas, Houston Division, Hill pleaded guilty last month to charges of using illegally obtained account access information to buy goods worth more than $1,000 and to a charge of illegally possessing account information for more than 15 people on his PC.
In a separate civil lawsuit filed by the FTC in December (download PDF), Hill was charged with false affiliation for claiming that the e-mail messages he sent were from PayPal, AOL and other Internet service providers. He was also charged with making false claims to consumers so they would provide account information and with one count of unfair use of that private information and a count of inducing consumers to submit account information by using deceptive means. The 24-page complaint asked the court to issue an injunction barring Hill from continuing his operations.
Casey Stavropoulos, a DOJ spokeswoman, said Hill is expected to be sentenced on the criminal charges on May 18. He faces a maximum prison term of 10 to 15 years, she said, but he could get a lesser sentence as a result of his cooperation with authorities after his arrest. He also faces fines of at least $200,000 plus restitution.
Hill sent the fake e-mails between March 2001 and February 2003, according to the DOJ.
Investigators were able to link Hill to the fake messages through e-mail addresses that were embedded in the HTML code in the fake Web pages, said Patricia Poss, one of the FTC attorneys working on the case. The HTML code in the Web pages directed the information entered by consumers to Hill's e-mail addresses, Poss said.
The FTC case against Hill remains in litigation, she said. He has agreed to the preliminary injunction that halted his operations while both sides work to resolve the case. Hill is connected to at least $78,000 in purchases or attempted purchases on new credit card accounts he opened using the stolen information, the FTC said.
He illegally obtained 471 credit card numbers, 152 bank account and bank routing numbers and 541 usernames and passwords for personal Internet access accounts using his fake Web sites, according to his plea agreement with the Justice Department.
Under Hill's scam, consumers received e-mails that appeared to come from AOL or PayPal. The "From" line identified the sender as "billing center" or "account department" and the "Subject" line carried warnings such as "AOL Billing Error Please Read Enclosed Email," or "Please Update Account Information Urgent!" The messages warned consumers that their accounts would be canceled if they didn't respond.
A hyperlink in the e-mail pointed to what appeared to be the AOL Billing Center, with AOL's logo and live links to real AOL Web pages. But the site was actually Hill's Web site, where he harvested consumers' names and their mothers' maiden names as well as their billing addresses, Social Security numbers, dates of birth, bank account numbers, bank routing numbers, AOL screen names and passwords.
Hill's PayPal scheme used the PayPal passwords that consumers provided, allowing him to use their PayPal accounts to purchase goods and services.
"As the Hill case demonstrates, the government can make a difference when agencies work together to crack down on Internet identity theft scams," Assistant Attorney General Christopher A. Wray of the DOJ's Criminal Division said in a statement.
Several attempts to reach Hill by telephone were unsuccessful.
Nicholas Graham, a spokesman for Dulles, Va.-based AOL, said the company applauds the government's prosecution of the case. "This is a very important issue to us," Graham said.
Amanda Pires, a spokeswoman for San Jose-based PayPal, said the company believes the case will help deter others from using similar scams. "It also helps to educate people not to respond to these fraudulent e-mails," she said.
Assisting in the cases were the FBI's Washington Field Office and the U.S. attorney for the Eastern District of Virginia's Computer Hacking and Intellectual Property Squad.