Green Eggs and Spam? E-Mailed Scam Gets Into the Wrong Hands
Green Eggs and Spam?
E-Mailed Scam Gets Into the Wrong Hands
12/17/03
Talk about bad luck! A previously convicted felon from Ohio and an Internet addict from Pennsylvania met in an online chat room and soon joined forces to operate a profitable spamming venture. The pair sent hundreds of e-mails world-wide that tricked people into giving out personal information—also known as "phishing." But they made one mistake—one of their "marks" turned out to be a Norfolk, Virginia FBI agent who received the e-mail on his home computer. And this was not just any FBI agent—he was a specialist in computer crimes!
The duo, who had never met in person, exchanged information on "spamming" (sending mass unsolicited e-mails) and "carding" (using stolen credit cards). Through various schemes, the pair got their hands on a large online service provider's customer user names and passwords, allowing them access to that provider's chat rooms where they unleashed several spamming programs, including a particular one known as "Green Eggs and Spam." The company's subscribers were flooded with spam messages claiming to be from "Security" asking for updated credit card information and linked to a phony "Billing Center" webpage. But in fact, the info went to web-based e-mail accounts accessed by the pair. Unfortunately, many customers—believing the e-mail to be legitimate—obliged by sending their personal information.
One customer who didn't fall for the scam was the Norfolk FBI agent. What made the agent suspect the e-mail? He had just created the e-mail address literally a minute before the e-mail reached his inbox, and he knew there no way to have contact on an e-mail that had existed for only a matter of seconds. When he clicked on the link in the e-mail, he noticed that his browser was going to a non-company webpage—another red flag. He could also tell that the e-mail sender's address was fake, and the message was sent to almost 20 other users at the same time. The agent sent a copy of the phony webpage to staffers in what was then the Bureau's Special Technologies and Applications Unit to confirm his suspicions—and they did.
The investigation eventually uncovered the electronic trail of stolen accounts and free webpages... and ultimately to the identity of the two main culprits. One has already been sentenced and the other is currently awaiting sentencing. One of the computers used in the scam was found to have over 400 stolen credit cards numbers on it.
These types of "phishing" e-mail schemes have been steadily on the rise, but on December 16, 2003, the President signed the "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (or the CAN-SPAM Act) to federally regulate spam. Under the new law, the Federal Trade Commission is authorized to set up a "do-not-spam" registry. Violators face multi-million dollar fines and jail time, and they could be sued for damages.