The US Department of Justice has reported that in verdicts reached late Friday, Jeffrey Brett Goodin, 45, was found guilty of operating a sophisticated phishing scheme targeted at AOL users. He was convicted under the CAN-SPAM Act of 2003 of sending thousands of emails to AOL users that appeared to be from AOL's billing department and prompted the customers to send personal and credit card information, which he used to make unauthorized purchases.

According to the US DOJ’s press release, the jury found that Goodin operated an Internet-based scheme designed to obtain personal and credit card information by tricking people into believing that they were providing information to a legitimate business.

Goodin, who was clearly not good at all, used several compromised Earthlink accounts to send e-mails to AOL users which appeared to be from AOL's billing department. Goodin then urged the users to "update" their AOL billing information or lose service, something that is commonly seen with bank phishing attacks today. 

As with most phishing schemes, the e-mails referred the AOL customers to one of several webpages where the victims could input their personal and credit information. Goodin controlled those webpages, where he collected the information that allowed him and others to make unauthorized charges on the AOL users' credit or debit cards.

What’s more worrying is that the phishers have found more sophisticated ways of stealing users information, with Goodin’s attack being one of the older and more basic ways of phishing. The bad guys never sleep and have been very, very busy in finding ways to make their activities as invisible as possible. Luckily for us, security researchers and programmers are on a counter-attack of their own.

One of the most frightening new developments is the ‘Man in the Middle’ attack, where the phishers are now using software to capture your information while you are at the site you intended visiting, but your username and password is being siphoned by malware which steals your credentials and then sends those details onto the site you wanted to visit – without you being any the wiser!

An excellent article from the Washington Post’s Brian Krebs called ‘Great Strides in Phishing’ details this worrying and growing phenomenon.

While Brian does not specifically mention it in his article, this new sophisticated ‘Man in the Middle’ phishing attack also makes a lot of the ‘two-factor’ and ‘tokens’ being used by some companies a total joke as they have been proven to be useless against criminals who know how to easily get around these so-called ‘more secure’ systems.

While most security vendors claim to have a solution to protect you from phishing attacks, ‘Man in the Middle’ attacks take phishing to a new level of cyber terror.

Ted Egan, co-founder of TrustDefender, a free security software package available from http://www.trustdefender.com that is equipped to reliably deal with all forms of phishing attacks, including ‘Man in the Middle’ attacks, and which would have protected the AOL users that Goodin targeted, explains that until the end user is brought into a company’s security chain, these attacks will continue to be successful.

Egan said that “The only way these financial organizations are going to stop the fraudsters and protecting their customers’ identities and confidential information is when they integrate the end user's computer (PC and mobile computing device) into the overall security chain".

Criminal elements have taken to heart the knowledge that e-commerce would be big one day, and are acting much faster than banks and other websites that need a username and password for access. The US Department of Justice has caught one man, but there are millions more criminal phishing attacks every day and organized crime gangs taking full advantage of the latest phishing software kits to cause fraudulent havoc on us all.

When will banks, financial institutions, auction houses, online stores and sites that require user authentication start taking security far more responsibly than they are taking it now, especially in light of Brian Krebs’ revealing article?
{moscomment}