http://www.nytimes.com/2006/07/04/us/04identity.html By TOM ZELLER Jr. July 4, 2006 By the time of Shiva Brent Sharma's third arrest for identity theft, at the age of 20, he had taken in well over $150,000 in cash and merchandise in his brief career. After a certain point, investigators stopped counting. The biggest money was coming in at the end, postal inspectors said, after Mr. Sharma had figured out how to buy access to stolen credit card accounts online, change the cardholder information and reliably wire money to himself - sometimes using false identities for which he had created pristine driver's licenses. But Mr. Sharma, now 22, says he never really kept track of his earnings. "I don't know how much I made altogether, but the most I ever made in a quick period was like $20,000 in a day and a half or something," he said, sitting in the empty meeting hall at the Mohawk Correctional Facility in Rome, N.Y., where he is serving a two- to four-year term. "Working like three hours today, three hours tomorrow - $20,000." And once he knew what he was doing, it was all too easy. "It's an addiction, no doubt about that," said Mr. Sharma, who inflected his words with the sort of street cadence adopted by smart kids trying to be cool. "I get scared that when I get out, I might have a problem and relapse because it would be so easy to take $300 and turn it into several thousand." That ease accounts for the sizable ranks of identity-fraud victims, whose acquaintance with the crime often begins with unexplained credit card charges, a drained bank account or worse. The victims' tales have become alarmingly familiar, but usually lack a protagonist - the perpetrator. Mr. Sharma's account of his own exploits provides the missing piece: an insight into both the tools and the motivation of a persistent thief. Identity theft can, of course, have its origins in a pilfered wallet or an emptied mailbox. But for computer-savvy thieves like Mr. Sharma, the Internet has forged new conduits for the crime, both as a means of stealing identity and account information and as the place to use it. The Secret Service and the Federal Bureau of Investigation have invested millions of dollars in monitoring Internet sites where thousands of users from around the world congregate to swap tips about identity theft and to buy and sell personal data. Mr. Sharma frequented such sites from their earliest days, and the techniques he learned there have become textbook-variety scams. "Shiva Sharma was probably one of the first, and he was certainly one of the first to get caught," said Diane M. Peress, a former Queens County prosecutor who handled all three of Mr. Sharma's cases and who is now the chief of economic crimes with the Nassau County district attorney's office. "But the kinds of methods that he used are being used all the time." As far back as 2002, Mr. Sharma began picking the locks on consumer credit lines using a computer, the Internet and a deep understanding of online commerce, Internet security and simple human nature, obtained through years of trading insights with like-minded thieves in online forums. And he deployed the now-common rods and reels of data theft - e-mail solicitations and phony Web sites - that fleece the unwitting. Much of this unfolded from the basement of a middle-class family home in Richmond Hill, Queens, at the hands of a high school student with a knack for problem solving and an inability, even after multiple arrests, to resist the challenge of making a scheme pay off. That is what worries Mr. Sharma's wife, Damaris, 21, who has no time for the Internet as she raises the couple's 1-year-old daughter, Bellamarie. "I hate computers," she said. "I think they're the devil." A Thief's Tool Kit Mr. Sharma is soft-spoken, but he does not shrink from the spotlight. He gained fleeting attention after his first arrest, as the first person charged under a New York State identity-theft statute - and later, at his high school graduation at the Rikers Island jail, where he was the class valedictorian. For a prison interview, he has applied gel to his mane of black hair. He is Hollywood handsome, with deceptively sleepy eyes and smiles that come as tics in reaction to nearly every stimulus - a question, a noise. Prosecutors interpreted those smiles as evidence of smug indifference. A tattoo of Shiva, the Hindu god of destruction and his namesake, is just visible on Mr. Sharma's right arm, under the short sleeve of his green prison jumpsuit. Recalling his youth, Mr. Sharma said he was not unlike many other young people growing up with the mating calls of modems and unprecedented access to people, sounds, software and other thrills streaming into the family's home over the Internet. As the youngest of three children in a family of immigrants from Trinidad - his parents brought the family to Queens when he was 6 - Mr. Sharma said sibling battles for access to the computer were common. He studied programming at Brooklyn Tech, one of New York's most selective public high schools, where he met Damaris. He enjoyed chatting on AOL and was drawn, along with millions of his peers in the early days of file sharing, to downloading MP3's. As he got older, he began hanging out on Internet-based chat channels that dealt with bigger game, like bootleg software. And amid the chatter were whispers of other something-for-nothing sites - ones where thieves had set up bazaars involving credit cards, banks and account numbers. "So I ended up registering and then I started just looking, really," Mr. Sharma said. "Not really taking anything in, just looking and seeing what's going on there." Mr. Sharma said he chiefly visited two such sites, Carderplanet.com and Shadowcrew.com, where he was known by the screen name sniper5984 (the number denoted his birthdate). The sites were shut down in 2004, but many others have sprung up to replace them. "For the aspiring little computer hacker in the United States, they're an excellent opportunity to learn," said Greg Crabb, the assistant director for economic crimes at the United States Postal Inspection Service's international group in Washington. On Carderplanet, for example, "a person could learn how to set up a drop, receive packages, develop other relationships and generally get started in the business." Mr. Sharma got started with phishing - sending e-mail meant to dupe recipients into revealing their personal or financial data, which can then be exploited. He told investigators that he paid $60 to someone he had met on Carderplanet to buy a program designed to harvest AOL e-mail addresses. "I pretty much stuck with AOL because I knew AOL is most likely people new to the Internet," Mr. Sharma explained, "people who don't use the Internet for much but chat rooms." He managed to gather about 100,000 addresses, and crafted an e-mail message that told recipients, "We regret to inform you, but due to a recent system flush, the billing information for your account was deleted." Recipients were instructed to follow a link to a Web page to remedy the situation. The Web page, which mimicked AOL's look and feel, including a bogus AOL Web address, had form fields requesting everything from name and address to mother's maiden name, Social Security number, date of birth, credit card number, expiration date and bank. The "submit" button sent the data to Mr. Sharma's e-mail account. He then went shopping. From the 100,000 phishing e-mails Mr. Sharma sent, investigators say, about 100 recipients were duped into clicking through to the phony AOL Web page he created and filling out the form. Mr. Sharma said he did even better, with about 250 to 300 responses. And Mr. Sharma went on to more elaborate and lucrative schemes. By the end, he said, he had become well known at Carderplanet and Shadowcrew for being able to "cash out" victims' credit accounts by making large wire transfers from their accounts to himself. "I cash them out all the time," sniper5984 wrote at Carderplanet on July 5, 2004. "Here's two examples of Citi Cards I have used last month just to show." Sniper5984 then provided links to two images of the account statement of the victim, a California resident, showing, amid various legitimate charges, nearly $10,000 in Western Union wire transfers made over three days in June 2004. There were also two charges for Domino's pizza in Ozone Park, Queens. "There was always a challenge," Mr. Sharma said. "You know, like it's always something like, wow, can I take it to the next step, you know?" Ms. Sharma recalled that on trips to a Six Flags amusement park, her husband rarely took to the rides, preferring instead the games of chance. "The ones where you win a giant stuffed animal if you can throw some ball into a bucket or something like that, but there's obviously some trick to it," she said. "Well, he would always know the trick." She also recalled one evening in the summer of 2004, when Mr. Sharma came to her apartment with $27,000 in cash and asked her to hold onto it overnight. The next morning he picked up the money and returned later with a new Acura RSX. "He liked to race cars," Ms. Sharma said. Back at the correctional facility, Mr. Sharma struggled to find a clear explanation for his crimes. At times he suggested he was taking aim at a usurious banking industry. At other moments he offered that it was simply a game, that he was young, that he was not thinking clearly. "Well, you know - I mean there's no, there's no justification behind it at all," he said. "You know it was wrong, and I did it - it was wrong." He also suggested it all became too easy too fast. "The challenge was really stopping, you know?" he said. "That was the hardest challenge of them all." 'It's Sharma Again' The tools that allowed Mr. Sharma to profit from his thievery were also his undoing, more than once. On Sept. 19, 2002, William Robertson, a 73-year-old retired physical education teacher in Ormond Beach, Fla., received one of the 100,000 e-mail lures that Mr. Sharma's had sent out from Queens, and he fell for the scam. "I don't know what made me fill out that whole form," Mr. Robertson said. "At that time I was a fairly new user of the computer. And after I did it, I just didn't feel right. But it wasn't until after the credit card company called me that I knew I'd done anything wrong." A $3,000 Eltron photo ID printer had been bought on his Chase credit card from an online store in Buffalo. He canceled the card and made a report to the Flagler County police. The police determined that the printer had been shipped to a Brent Sharma in Queens. Just over a month later, on Nov. 8, Peter Ruh, a United States postal inspector, arrived at Mr. Sharma's parents' home wearing a postal delivery uniform and carrying a box of high-end racing car parts that Mr. Sharma had ordered using another credit card account he had hijacked. When Mr. Sharma identified himself and signed for the package, Mr. Ruh, wearing a wire, gave a pre-arranged signal and his fellow inspectors, along with New York City police officers, moved in. Among the items seized from his parents' basement were a computer, two digital cameras, a scanner, nearly 500 blank plastic identity cards with magnetic strips, two Marine Corps ID's - with Mr. Sharma's name and photo - and a newer model Eltron photo ID printer. A search of his computer revealed personal identifying information on hundreds of people from across the country. "We were surprised at how forthcoming he was," Mr. Ruh said. "He was very proud of his accomplishments." It was the first of many encounters that Queens postal investigators would have with Mr. Sharma over the next two years. "I'd get a call from someone over at Postal and they'd say, 'You're not going to believe this,' " Ms. Peress said. "And then they'd say, 'It's Sharma again.' " Even with charges of identity theft pending in the AOL case, Mr. Sharma was arrested and charged again, in May 2003, for schemes involving the hijacking of Amazon.com accounts, moving fraudulently bought merchandise through auctions at eBay and Yahoo, and enlisting the father of a friend to receive shipments at his home in exchange for a digital camera. Four months later, as part of a combined plea agreement, Mr. Sharma was permitted to plead guilty in the first case as a youthful offender, avoiding a felony designation. He pleaded guilty in the second case to two felony counts of identity theft and unlawful possession of personal identification information. In November 2003 he was sentenced to five years' probation and 350 hours of community service and was ordered to pay $5,000 in restitution. But within a month, on Jan. 21, 2004, sniper5984 was active again at Carderplanet. "I am looking for partners," he wrote. Logging Off By the summer of 2004, investigators had begun piecing together a string of complaints from out-of-state consumers whose credit card accounts had been hijacked for tens of thousands of dollars in bogus charges, and they quickly recognized the modus operandi. Mr. Sharma was arrested again in October while accepting a package under the watch of postal inspectors. A search of his apartment in Ozone Park on Oct. 16, 2004, the day after his final arrest, turned up consumers' credit bureau reports, assorted hand-written notations of credit card accounts and Social Security numbers and printed chats showing him negotiating online for the purchase of FirstUSA and MBNA credit cards. Mr. Sharma remembers making heavy use, just before his last arrest, of the credit card of a commercial airline pilot from Florida. Receipts show that a Jean Pascal Francis, presenting a Michigan state identification card, signed in Queens for nearly $5,500 in Western Union cash transfers charged to the pilot's account on a single Friday afternoon in July 2004. A Michigan state identification card with that name and Mr. Sharma's photograph was among the documents later found in Mr. Sharma's apartment. "I thought it was horrible," recalled the airline pilot, who did not want to be named because he feared it would invite other thieves to take a crack at him. "You just feel violated in terms of your privacy." Meanwhile, Mr. Sharma, whose family had moved to Florida, was largely on his own in New York and was burning through cash like rocket fuel. "I tried every five-star hotel in Manhattan," he said. "That's why they say, 'Oh, he stayed at the Parker Meridien, the Regency, the Waldorf-Astoria.' You know, I went to all those and just stayed. The Mandarin Oriental is by my wife's house, and that's supposed to be the nicest one and the newest one, so I went there and it's like $3,500 a night." "The more you make," he added, "it's like, it becomes a different kind of lifestyle." The question now is whether Mr. Sharma, who has a parole hearing in August, can adapt to a less lucrative lifestyle when he gets out. He says he is determined to stay clean long enough for his knowledge of fraud techniques to become obsolete. "I've just got to stay with my daughter and just try and stick it through another year or two," Mr. Sharma said, "because by then things have changed so much that it will be kind of hard for me to just go back in there and do everything." His wife understands the temptations that will lurk in the meantime. "I do worry a whole lot because - I don't want to say I agree, but I understand his mentality," Ms. Sharma said. "People work really hard for eight hours a day and make minimum wage. And he knows he can get out and make the same thing with the computer in half an hour." Kassie Bracken contributed reporting for this article. Copyright 2006 The New York Times Company _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Wed Jul 05 2006 - 22:58:25 PDT