[ISN] Identity Thief Finds Easy Money Hard to Resist

From: InfoSec News (isn@private)
Date: Wed Jul 05 2006 - 22:22:55 PDT


http://www.nytimes.com/2006/07/04/us/04identity.html

By TOM ZELLER Jr.
July 4, 2006

By the time of Shiva Brent Sharma's third arrest for identity theft,
at the age of 20, he had taken in well over $150,000 in cash and
merchandise in his brief career. After a certain point, investigators
stopped counting.

The biggest money was coming in at the end, postal inspectors said,
after Mr. Sharma had figured out how to buy access to stolen credit
card accounts online, change the cardholder information and reliably
wire money to himself - sometimes using false identities for which he
had created pristine driver's licenses.

But Mr. Sharma, now 22, says he never really kept track of his
earnings.

"I don't know how much I made altogether, but the most I ever made in
a quick period was like $20,000 in a day and a half or something," he
said, sitting in the empty meeting hall at the Mohawk Correctional
Facility in Rome, N.Y., where he is serving a two- to four-year term.  
"Working like three hours today, three hours tomorrow - $20,000."

And once he knew what he was doing, it was all too easy.

"It's an addiction, no doubt about that," said Mr. Sharma, who
inflected his words with the sort of street cadence adopted by smart
kids trying to be cool. "I get scared that when I get out, I might
have a problem and relapse because it would be so easy to take $300
and turn it into several thousand."

That ease accounts for the sizable ranks of identity-fraud victims,
whose acquaintance with the crime often begins with unexplained credit
card charges, a drained bank account or worse. The victims' tales have
become alarmingly familiar, but usually lack a protagonist - the
perpetrator. Mr. Sharma's account of his own exploits provides the
missing piece: an insight into both the tools and the motivation of a
persistent thief.

Identity theft can, of course, have its origins in a pilfered wallet
or an emptied mailbox. But for computer-savvy thieves like Mr. Sharma,
the Internet has forged new conduits for the crime, both as a means of
stealing identity and account information and as the place to use it.

The Secret Service and the Federal Bureau of Investigation have
invested millions of dollars in monitoring Internet sites where
thousands of users from around the world congregate to swap tips about
identity theft and to buy and sell personal data. Mr. Sharma
frequented such sites from their earliest days, and the techniques he
learned there have become textbook-variety scams.

"Shiva Sharma was probably one of the first, and he was certainly one
of the first to get caught," said Diane M. Peress, a former Queens
County prosecutor who handled all three of Mr. Sharma's cases and who
is now the chief of economic crimes with the Nassau County district
attorney's office. "But the kinds of methods that he used are being
used all the time."

As far back as 2002, Mr. Sharma began picking the locks on consumer
credit lines using a computer, the Internet and a deep understanding
of online commerce, Internet security and simple human nature,
obtained through years of trading insights with like-minded thieves in
online forums. And he deployed the now-common rods and reels of data
theft - e-mail solicitations and phony Web sites - that fleece the
unwitting.

Much of this unfolded from the basement of a middle-class family home
in Richmond Hill, Queens, at the hands of a high school student with a
knack for problem solving and an inability, even after multiple
arrests, to resist the challenge of making a scheme pay off.

That is what worries Mr. Sharma's wife, Damaris, 21, who has no time
for the Internet as she raises the couple's 1-year-old daughter,
Bellamarie.

"I hate computers," she said. "I think they're the devil."


A Thief's Tool Kit

Mr. Sharma is soft-spoken, but he does not shrink from the spotlight.  
He gained fleeting attention after his first arrest, as the first
person charged under a New York State identity-theft statute - and
later, at his high school graduation at the Rikers Island jail, where
he was the class valedictorian.

For a prison interview, he has applied gel to his mane of black hair.  
He is Hollywood handsome, with deceptively sleepy eyes and smiles that
come as tics in reaction to nearly every stimulus - a question, a
noise. Prosecutors interpreted those smiles as evidence of smug
indifference.

A tattoo of Shiva, the Hindu god of destruction and his namesake, is
just visible on Mr. Sharma's right arm, under the short sleeve of his
green prison jumpsuit.

Recalling his youth, Mr. Sharma said he was not unlike many other
young people growing up with the mating calls of modems and
unprecedented access to people, sounds, software and other thrills
streaming into the family's home over the Internet.

As the youngest of three children in a family of immigrants from
Trinidad - his parents brought the family to Queens when he was 6 -
Mr. Sharma said sibling battles for access to the computer were
common. He studied programming at Brooklyn Tech, one of New York's
most selective public high schools, where he met Damaris.

He enjoyed chatting on AOL and was drawn, along with millions of his
peers in the early days of file sharing, to downloading MP3's.

As he got older, he began hanging out on Internet-based chat channels
that dealt with bigger game, like bootleg software. And amid the
chatter were whispers of other something-for-nothing sites - ones
where thieves had set up bazaars involving credit cards, banks and
account numbers.

"So I ended up registering and then I started just looking, really,"  
Mr. Sharma said. "Not really taking anything in, just looking and
seeing what's going on there."

Mr. Sharma said he chiefly visited two such sites, Carderplanet.com
and Shadowcrew.com, where he was known by the screen name sniper5984
(the number denoted his birthdate). The sites were shut down in 2004,
but many others have sprung up to replace them.

"For the aspiring little computer hacker in the United States, they're
an excellent opportunity to learn," said Greg Crabb, the assistant
director for economic crimes at the United States Postal Inspection
Service's international group in Washington. On Carderplanet, for
example, "a person could learn how to set up a drop, receive packages,
develop other relationships and generally get started in the
business."

Mr. Sharma got started with phishing - sending e-mail meant to dupe
recipients into revealing their personal or financial data, which can
then be exploited. He told investigators that he paid $60 to someone
he had met on Carderplanet to buy a program designed to harvest AOL
e-mail addresses.

"I pretty much stuck with AOL because I knew AOL is most likely people
new to the Internet," Mr. Sharma explained, "people who don't use the
Internet for much but chat rooms."

He managed to gather about 100,000 addresses, and crafted an e-mail
message that told recipients, "We regret to inform you, but due to a
recent system flush, the billing information for your account was
deleted." Recipients were instructed to follow a link to a Web page to
remedy the situation.

The Web page, which mimicked AOL's look and feel, including a bogus
AOL Web address, had form fields requesting everything from name and
address to mother's maiden name, Social Security number, date of
birth, credit card number, expiration date and bank.

The "submit" button sent the data to Mr. Sharma's e-mail account. He
then went shopping.

 From the 100,000 phishing e-mails Mr. Sharma sent, investigators say,
about 100 recipients were duped into clicking through to the phony AOL
Web page he created and filling out the form. Mr. Sharma said he did
even better, with about 250 to 300 responses.

And Mr. Sharma went on to more elaborate and lucrative schemes. By the
end, he said, he had become well known at Carderplanet and Shadowcrew
for being able to "cash out" victims' credit accounts by making large
wire transfers from their accounts to himself.

"I cash them out all the time," sniper5984 wrote at Carderplanet on
July 5, 2004. "Here's two examples of Citi Cards I have used last
month just to show."

Sniper5984 then provided links to two images of the account statement
of the victim, a California resident, showing, amid various legitimate
charges, nearly $10,000 in Western Union wire transfers made over
three days in June 2004.

There were also two charges for Domino's pizza in Ozone Park, Queens.

"There was always a challenge," Mr. Sharma said. "You know, like it's
always something like, wow, can I take it to the next step, you know?"

Ms. Sharma recalled that on trips to a Six Flags amusement park, her
husband rarely took to the rides, preferring instead the games of
chance. "The ones where you win a giant stuffed animal if you can
throw some ball into a bucket or something like that, but there's
obviously some trick to it," she said. "Well, he would always know the
trick."

She also recalled one evening in the summer of 2004, when Mr. Sharma
came to her apartment with $27,000 in cash and asked her to hold onto
it overnight. The next morning he picked up the money and returned
later with a new Acura RSX.

"He liked to race cars," Ms. Sharma said.

Back at the correctional facility, Mr. Sharma struggled to find a
clear explanation for his crimes. At times he suggested he was taking
aim at a usurious banking industry. At other moments he offered that
it was simply a game, that he was young, that he was not thinking
clearly.

"Well, you know - I mean there's no, there's no justification behind
it at all," he said. "You know it was wrong, and I did it - it was
wrong."

He also suggested it all became too easy too fast.

"The challenge was really stopping, you know?" he said. "That was the
hardest challenge of them all."


'It's Sharma Again'

The tools that allowed Mr. Sharma to profit from his thievery were
also his undoing, more than once.

On Sept. 19, 2002, William Robertson, a 73-year-old retired physical
education teacher in Ormond Beach, Fla., received one of the 100,000
e-mail lures that Mr. Sharma's had sent out from Queens, and he fell
for the scam.

"I don't know what made me fill out that whole form," Mr. Robertson
said. "At that time I was a fairly new user of the computer. And after
I did it, I just didn't feel right. But it wasn't until after the
credit card company called me that I knew I'd done anything wrong."

A $3,000 Eltron photo ID printer had been bought on his Chase credit
card from an online store in Buffalo. He canceled the card and made a
report to the Flagler County police. The police determined that the
printer had been shipped to a Brent Sharma in Queens.

Just over a month later, on Nov. 8, Peter Ruh, a United States postal
inspector, arrived at Mr. Sharma's parents' home wearing a postal
delivery uniform and carrying a box of high-end racing car parts that
Mr. Sharma had ordered using another credit card account he had
hijacked. When Mr. Sharma identified himself and signed for the
package, Mr. Ruh, wearing a wire, gave a pre-arranged signal and his
fellow inspectors, along with New York City police officers, moved in.

Among the items seized from his parents' basement were a computer, two
digital cameras, a scanner, nearly 500 blank plastic identity cards
with magnetic strips, two Marine Corps ID's - with Mr. Sharma's name
and photo - and a newer model Eltron photo ID printer. A search of his
computer revealed personal identifying information on hundreds of
people from across the country.

"We were surprised at how forthcoming he was," Mr. Ruh said. "He was
very proud of his accomplishments."

It was the first of many encounters that Queens postal investigators
would have with Mr. Sharma over the next two years. "I'd get a call
from someone over at Postal and they'd say, 'You're not going to
believe this,' " Ms. Peress said. "And then they'd say, 'It's Sharma
again.' "

Even with charges of identity theft pending in the AOL case, Mr.  
Sharma was arrested and charged again, in May 2003, for schemes
involving the hijacking of Amazon.com accounts, moving fraudulently
bought merchandise through auctions at eBay and Yahoo, and enlisting
the father of a friend to receive shipments at his home in exchange
for a digital camera.

Four months later, as part of a combined plea agreement, Mr. Sharma
was permitted to plead guilty in the first case as a youthful
offender, avoiding a felony designation. He pleaded guilty in the
second case to two felony counts of identity theft and unlawful
possession of personal identification information. In November 2003 he
was sentenced to five years' probation and 350 hours of community
service and was ordered to pay $5,000 in restitution.

But within a month, on Jan. 21, 2004, sniper5984 was active again at
Carderplanet. "I am looking for partners," he wrote.


Logging Off

By the summer of 2004, investigators had begun piecing together a
string of complaints from out-of-state consumers whose credit card
accounts had been hijacked for tens of thousands of dollars in bogus
charges, and they quickly recognized the modus operandi.

Mr. Sharma was arrested again in October while accepting a package
under the watch of postal inspectors. A search of his apartment in
Ozone Park on Oct. 16, 2004, the day after his final arrest, turned up
consumers' credit bureau reports, assorted hand-written notations of
credit card accounts and Social Security numbers and printed chats
showing him negotiating online for the purchase of FirstUSA and MBNA
credit cards.

Mr. Sharma remembers making heavy use, just before his last arrest, of
the credit card of a commercial airline pilot from Florida.

Receipts show that a Jean Pascal Francis, presenting a Michigan state
identification card, signed in Queens for nearly $5,500 in Western
Union cash transfers charged to the pilot's account on a single Friday
afternoon in July 2004. A Michigan state identification card with that
name and Mr. Sharma's photograph was among the documents later found
in Mr. Sharma's apartment.

"I thought it was horrible," recalled the airline pilot, who did not
want to be named because he feared it would invite other thieves to
take a crack at him. "You just feel violated in terms of your
privacy."

Meanwhile, Mr. Sharma, whose family had moved to Florida, was largely
on his own in New York and was burning through cash like rocket fuel.

"I tried every five-star hotel in Manhattan," he said. "That's why
they say, 'Oh, he stayed at the Parker Meridien, the Regency, the
Waldorf-Astoria.' You know, I went to all those and just stayed. The
Mandarin Oriental is by my wife's house, and that's supposed to be the
nicest one and the newest one, so I went there and it's like $3,500 a
night."

"The more you make," he added, "it's like, it becomes a different kind
of lifestyle."

The question now is whether Mr. Sharma, who has a parole hearing in
August, can adapt to a less lucrative lifestyle when he gets out.

He says he is determined to stay clean long enough for his knowledge
of fraud techniques to become obsolete. "I've just got to stay with my
daughter and just try and stick it through another year or two," Mr.  
Sharma said, "because by then things have changed so much that it will
be kind of hard for me to just go back in there and do everything."

His wife understands the temptations that will lurk in the meantime.

"I do worry a whole lot because - I don't want to say I agree, but I
understand his mentality," Ms. Sharma said. "People work really hard
for eight hours a day and make minimum wage. And he knows he can get
out and make the same thing with the computer in half an hour."

Kassie Bracken contributed reporting for this article.

Copyright 2006 The New York Times Company



_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Wed Jul 05 2006 - 22:58:25 PDT