Jeffrey Brett Goodin
In the case of Jeffrey Brett Goodin vs. the United States of America, Goodin was petitioning for habeas corpus relief. Habeas Corpus is a” judicial mandate to a prison official ordering that an inmate be brought to the court so it can be determined whether or not that person is imprisoned lawfully and whether or not he should be released from custody” (Habeas Corpus Defined and Explained).
Goodin was sentenced to prison to 70 months in prison after multiple violations or various sections of Title 18 of the United States Constitution. These violations include “ § 1324 (wire fraud), § 1037(a)(3), (b)(1)(A)(4) (knowing and material falsification of email headers), § 1029(a)(2) (aiding and abetting use of unauthorized access devices), § 1029(a)(3) (possession of unauthorized access devices), § 1028A(a)(1) (identify theft), § 2320 (use of counterfeit mark), § 1512(d)(1) (witness harassment), and § 3146(a), (b)(1)(A)(iii) (failure to appear)” (Goodin v. United States).
Goodin had violated federal laws by impersonating the internet Service Provider (ISP) America Online (AOL) billing department and contacting AOL members via email in sophisticated phishing attacks. Goodin created email accounts through the ISP EarthLink with which he fraudulently gathered personally identifiable information (PII) from AOL users. Goodin prompted users to update their credit/debit, personal, and other financial information. Inside of these emails were links to phony AOL webpages that contained cross site scripting which sent the information entered to Goodin’s email addresses.
Goodin was found guilty and petitioned to the Ninth Circuit Court of Appeals. The court of Appeals affirmed the sentencing on December 17, 2008. On August 11, 2009 Goodin filed “the instant motion pursuant to 28 U.S.C. § 2255 claiming ineffective assistance of counsel. Id. at 5. Respondent United States ("government") filed its answer on February 25, 2010” (Goodin v. United States). While the claim of ineffective assistance of counsel is not related to phishing attacks, many relating points were made in the discussion of the case.
Goodin argued that “the jury instructions expanded the scope of 18 U.S.C. § 1037 ("CAN-SPAM Act") by allowing conviction even when an e-mail is merely "related" to the product or service. Id” (Goodin vs. United States). The CAN-SPAM Act of 2003 was the first act to define standards and requirements for the use of commercial email. Goodin claims that the Ninth Circuit Court of Appeals allowed conviction by expanding the CAN-SPAM Act to emails that are related to a commercial product or service. The United States Government however, argued that the evidence presented to the jury allowed them to reasonably define the emails as commercial emails according to the CAN-SPAM Act. “The "related to" language in the jury instruction improperly expanded the scope of the statue; there is no reasonable probability that an objection by petitioner's counsel would have undermined confidence in the outcome” (Goodin v. United States).
Goodin also argued that the loss calculations completed by the Probation Office were “based on submissions by EarthLink and a theory of loss that the Ninth Circuit considered "seriously flawed" because of the lack of causal connection between the cost of the servers and petitioner's conduct” (Goodin v. United States). In calculations prepared for the presentencing report, the Probation office offered many calculations of the damages that Goodin’s phishing attacks have caused. “Five individual victims suffered a loss of $6,205.58 and EarthLink suffered a loss of $1,155,248.59. The Probation Office also assigned a loss of $58,00 for 116 credit card numbers possessed by petitioner, for a total loss of $1,161,454.17”(Goodin v. United States). Goodin argued that the calculations of damages were unrelated to his phishing attacks and that the damage estimates were completely inaccurate. The government opposed this argument and “produced a detailed accounting of the loss suffered by EarthLink attributable to Goodin’s phishing scheme. This included a table of EarthLink’s calculable damages, EarthLink’s total personnel-time cost and computer-time cost attributable to Goodin’s e-mails, and an explanation of how EarthLink’s cost and loss figures were calculated(Goodin v. United States). The court found that Goodin did not show that his counsel performed below an objectionable standard of reasonableness.
This case helps to show three important points about phishing attacks. Firstly, multiple laws are broken when phishing attacks are implemented. Secondly, the court discussion and evidence provides the public with the kind of damage costs that phishing attacks generate. Finally, this case uses the CAN-SPAM Act of 2003 to help define commercial and commercially related spam messages and phishing attack emails and use them as a form of evidence to help convict the attacker.
Return to IST 432-Team 6-Phishing
“Goodin v. United States” March 17, 2010
"Habeas Corpus Defined and Explained." The 'Lectric Law Library's Entrance & Welcome. N.p., n.d. Web. 9 Apr. 2011. <http://www.lectlaw.com/def/h001.htm>.
Image of United States of America from: http://www.thextractor.net/garnet_extractor.html