The IT Law Wiki

Citation[]

Federal Trade Comm’n v. Hill, Civ. Action No. H03-5537 (S.D. Tex. Dec. 3, 2003).

Factual Background[]

In a joint law enforcement initiative, the Federal Trade Commission (FTC) and the Department of Justice brought two separate actions against Zachary Keith Hill to shut down a spam operation that hijacked logos from AOL and Paypal to con hundreds of consumers into providing credit card and bank account numbers. At the request of the FTC, the U.S. District Court for the Southern District of Texas ordered the defendant to halt his phishing scam. The Justice Department also obtained a criminal conviction.

Under the scam, consumers received an e-mail that appeared to come from America Online or Paypal. The “from” line identified the sender as “billing center,” or “account department” and the subject line carried warnings such as “AOL Billing Error Please Read Enclosed Email,” and “Please Update Account Information Urgent!” The text of the message contained a warning that if the consumers did not respond to the e-mail, their account would be cancelled. Some of the spam said, “we have to ask all our members for updated/correct billing information. Please be advised that this is mandatory. If we do not get your updated billing information, your account will be revoked and put under review and may be cancelled.” A hyperlink in the e-mail took consumers to what appeared to be the AOL Billing Center, with AOL’s logo and live links to real AOL web pages. But the copycat web page belonged to the defendant. The defendant asked consumers to provide information such as their names and mothers’ maiden names, billing addresses, Social Security numbers, dates of birth, bank account numbers, and bank routing numbers. The defendant also asked consumers to provide their AOL screen names and passwords.

The Paypal scheme worked in a similar way, with the defendant using the Paypal passwords that consumers provided to access consumers’ Paypal accounts and to purchase goods or services on their accounts.

The Complaint[]

The FTC charged that the acts and practices were deceptive and unfair, in violation Section 5 of the FTC Act. In addition, the FTC alleged that the defendant’s practices violated provisions of the Gramm-Leach-Bliley Act designed to protect the privacy of consumers’ sensitive financial information.

The FTC alleged that the defendant used the information that consumers submitted to establish new credit card accounts and to make unauthorized changes — such as changing the address — on existing credit accounts. According to the FTC, he placed orders and made purchases using the unwitting consumers’ credit information.

Stipulated Final Judgment[]

The settlement (dated May 24, 2004) barred the defendant from sending spam for life. It barred the defendant from:

  • Misrepresenting his affiliation with a consumer’s ISP or online payment service provider;
  • Misrepresenting that consumers’ information needs to be updated;
  • Using false “from” or “subject” lines; and
  • Registering web pages that misrepresent the host or sponsor of the page.

The settlement barred the defendant from making false, fictitious, or fraudulent statements to obtain financial information from consumers. it barred the defendant from using or sharing the sensitive information collected from consumers and required that all such information be turned over to the FTC.

Financial judgments were stayed based on financial disclosure documents provided by the defendant showing he was unable to pay consumer redress. The settlement contained standard recordkeeping provisions to allow the FTC to monitor compliance with the order.

Criminal Complaint[]

The U.S. Department of Justice also filed a criminal complaint against Hill alleging violations of the federal Computer Fraud and Abuse Act (CFAA).[1] The parties entered into a plea agreement under which Hill agreed to plead guilty to two counts. He was sentenced to 46 months in prison.

References[]

  1. United States v. Hill (U.S. Dist Ct., Eastern Dist. of Va.).