FTC settles with 17-year-old ID thief

The US Federal Trade Commission (FTC) has settled a civil action against a 17-year-old California boy who was allegedly tricking...

The US Federal Trade Commission (FTC) has settled a civil action against a 17-year-old California boy who was allegedly tricking internet users into giving him their credit card numbers and other personal information on a bogus website meant to look like America Online's billing centre.

The settlement will bar the defendant from sending spam and force him to give up about $3,500 (£2,188) in profits from his venture, which ran from July to December 2002, before the US Federal Bureau of Investigation (FBI) confiscated his computer.

The case has also been forwarded to the Los Angeles District Attorney's Office for possible criminal charges, said Eric Wenger, an attorney with the FTC's Bureau of Consumer Protection.

Posing as AOL, the boy sent customers e-mails saying there had been a problem with the billing of their AOL account. The e-mail warned AOL customers that if they did not update their billing information, they would risk losing their AOL accounts, and it directed customers to click on a hyperlink to connect to the AOL Billing Centre.

When customers clicked on the link, they went to the defendant's site, which included AOL's logo, type style, and links to real AOL web pages.

The defendant's AOL look-alike page directed consumers to enter the numbers from the credit card they had used to charge their AOL account, then asked consumers to enter numbers from a new card to correct the problem.

The defendant's page also asked for consumers' names, mothers' maiden names, billing addresses, social security numbers, bank routing numbers, credit limits, personal identification numbers, and AOL screen names and passwords.

The defendant used the information to charge online purchases and open accounts with PayPal, and he used consumers' names and passwords to log on to AOL in their names and send more spam. He also recruited others to participate in the scheme by convincing them to receive fraudulently obtained merchandise he had ordered for himself.

Known as "phishing", the fake website scam victimised both AOL and its customers, noted Timothy Muris, chairman of the FTC. The case represented the FTC's first law enforcement action targeting phishing, but it will not be the last, Muris warned.

"We're trying to draw attention to it, so customers recognise this type of scheme," Wenger added.

Although AOL was the target internet service provider in this case, the scheme can be run on just about any internet service provider or e-commerce provider, Wenger noted.

AOL spokesman Nicholas Graham said such scams are agnostic to the type of connection internet users have or the brand of internet service provider they use.

AOL has told customers for years that they should not trust e-mails that ask for personal information such as passwords or credit card numbers, he said.

"We applaud the FTC for highlighting an issue that AOL has concentrated on for some time," Graham added.

Graham recommended that customers who recognise such schemes tell their internet providers so the scam artists can be stopped before someone becomes a victim.

Grant Gross writes for IDG News Service

Read more on IT legislation and regulation