A 23-year-old Romanian man has become the first foreigner to be convicted by a US court for phishing.
Ovidiu-Ionut Nicola-Roman, of Craiova, Romania, was sentenced to four years and two months in prison Monday for his role in an international phishing operation. Prosecutors had charged him with setting up fake banking sites and then sending out tens of thousands of fraudulent spam messages in hopes of tricking victims into giving up their account information.
The sentence was handed down by Judge Janet Hall of the United States District Court in Connecticut.
Nicola-Roman was arrested in Bulgaria and extradited to the US in November 2007. He pleaded guilty last July to a fraud charge and had been facing a possible five years in prison. Additional charges that he faced in California were dropped because they were not listed in his extradition request.
He was charged as part of a larger phishing bust that also named six other Romanians, none of whom have been arrested.
Security experts say countries such as Russia, Romania and the Ukraine have become hotbeds of cybercrime, in part because local governments are slow to prosecute fraudsters who take money from victims in other countries such as the US.
The FBI said Monday that Internet fraud complaints had spiked 33 percent year-over-year in 2008.
In Nicola-Roman's case, prosecutors said they found 2,600 credit and debit card numbers in email accounts linked to him, and that he had probably harvested more information. He set up a fake phishing site to snare customers of People's Bank in October 2005, but also had tools that would have allowed him to phish customers of Wells Fargo, Suntrust, Amazon.com, PayPal and eBay, according to court documents.
He doesn't appear to have written software himself, but assembled a large collection of online fraud tools, including a program called Web Data Extractor, which harvested e-mail addresses. He sent spam to victims using a program called Email Sender Express, which could send 30,000 spam messages per hour, and created counterfeit cards using a program called T2Gen, prosecutors said. Another program, called WebZIP Unlimited, could be used to counterfeit legitimate websites.
According to data supplied to prosecutors by People's Bank, 78 of the 88 People's Bank card numbers that investigators found in Nicola-Roman's possession had been used for fraud. Nicola-Roman was able to take an average of $960 (approx £722) per card number collected, prosecutors said.
Nicola-Roman, a clothing salesman by trade, committed the fraud in part to help pay for medication and support for his sick mother, according to his defence attorney.
Prosecutors managed to contact many of the victims of the scheme, who reported a sense of fear and outrage at having been phished. One woman said her credit score dropped from "800+ to 400" after the fraud. "My credit is damaged and it will never be the same," the woman, identified as Michele S., wrote in a victim's impact statement.
"Above all else is the helplessness, knowing that all my personal information is forever now in the public domain," wrote Thomas B. "[T]his is a huge invasion of privacy, and as such it has caused me a great deal of anxiety."