Michael Dolan, a phisher who targeted AOL over the course of fiveyears recently pleaded guilty to two criminal counts that the U.S.attorney's office brought against him. The first count was a conspiracyto commit fraud and the second count was aggravated identity theft.
Dolan's "career" spanned from 2002 to 2006 and mostly involvedgetting victims to install a Trojan program that would prevent themfrom logging into their AOL account without providing additionalsensitive information like credit card and Social Security numbers.When caught, he had private and financial information for 96individuals.
On the one hand, I think this is a great victory for the Departmentof Justice. I believe that legal actions are one of the importantchannels we need to consider when addressing the problem of phishing.After all, phishing is ultimately a financial crime, and to the extentthat we can make it more risky and less profitable, we cansubstantially reduce instances of phishing.
At the same time, this effort represents a small step, albeit atleast in the right direction. At the tender age of 23, Dolan does notrepresent what I believe is the phishing mainstream. Rather, Dolan lstrikes me as a phisher who operated at a smaller scale than many ofthe attacks we've seen. He likely got caught because he operated mostof the phishing attacks himself, rather than outsourcing relevantoperations to external parties. With the onus of running all parts ofthe operation himself, he might have handled one sloppily, leading tohim getting caught.
As opposed to Dolan, The mainstream phishers seem very muchorganized. They appear to take great pains to hide their anonymity andalso launder their proceeds through the underground supply chain. Thiscould involve methods for selling stolen credentials and laundering themoney through so-called mule networks. (A mule is a person who is hiredby a phisher and effectively launders money for them in the mule'sname. Often, mules don't even realize that they are partaking in acriminal act -- instead, they think they are responding to a legitimate"work from home advertisement.")
Given this level of organization, and given how much phishingoriginates from this organized group, I think the real victory will bewhen we catch a major phishing group. It's important to realize thatmany of the people who are getting caught are still the small-timeoperators, and we have a long way to go.