The Southern California man who was the first person convicted by under the CAN-SPAM Act of 2003 for operating a sophisticated phishing scheme has been sentenced to nearly six years in federal prison.
Jeffrey Brett Goodin, 47, of Azusa, Calif., was sentenced to 70 months in prison by U.S. District Judge Christina A. Snyder in Los Angeles. He was originally found guilty on Jan. 12 of CAN-SPAM violations for sending thousands of phishing e-mails appearing to be from AOL’s billing department in an attempt to steal users' personal information.
In addition, Judge Snyder ordered Goodin to pay $1,002,885.58 to the victims of his phishing scheme. That total includes nearly $1 million to Earthlink, his internet service provider, to cover the costs for detecting and combating his online fraud scam, the U.S. Attorney's Office in Los Angeles said.
Goodin's emails asked AOL customers to update their personal and credit card information on phony AOL websites under Goodin's control. He then used the victims' personal and credit card information to make unauthorized purchases.
"It's great news [Goodin] was caught and is going away for while," said Sam Masiello, director of MX Logic's threat management team. "But in the end, it's not going to have impact overall" in the battle to control online fraud.
The problem won't go away until "users have become more educated -- they're the weakest link in chain," he added. "They have a feeling that their operating system and anti-virus products will protect them, but that's not true.
"It's important that users know what are legitimate websites, that they don't open attachments and links they get from people they don't know," Masiello explained. "This is email security 101, but it needs to be repeated over and over because people are still clicking links and getting infected with keyloggers and screen scrapers," which capture and forward personal information on login forms.
He added that simply deploying a firewall should help significantly mitigate the problem.
In addition to the CAN-SPAM conviction, Goodin was sentenced on 10 other counts. These included aiding and abetting the unauthorized use of a credit card, possessing more that 15 unauthorized access devices (credit cards), failing to appear in court, misusing the AOL trademark, wire fraud, aggravated identity theft and attempted witness harassment.
The attempted witness harassment charge came after Goodin was indicted on federal charges in the phishing scheme. The U.S. Attorney's Office said Goodin harassed an individual who had cooperated with authorities by posting intimidating messages to a website commemorating the death of the cooperator's sister.