[ISN] Security consultant admits to hijacking PCs to use in crimes

From: InfoSec News (alerts@private)
Date: Sun Nov 11 2007 - 22:05:52 PST


http://www.latimes.com/business/la-fi-botnet10nov10,1,3400959.story?coll=la-headlines-business&ctrack=1&cset=true

By Jessica Guynn
Los Angeles Times Staff Writer
November 10, 2007

A Los Angeles man entrusted with making personal computers safer has 
admitted to hacking into them to create a rogue network of as many as a 
quarter-million PCs, which he used to steal money and identities.

Federal prosecutors Friday said that John Kenneth Schiefer, a 
26-year-old computer security consultant, used an army of hijacked 
computers, known as a "botnet," to carry out a variety of schemes to rip 
off unsuspecting consumers and corporations.

Schiefer agreed to plead guilty to four felony charges in connection 
with the case and faces up to 60 years in prison and a $1.75-million 
fine, according to court documents filed Friday in federal court in Los 
Angeles.

His lawyer, Arthur Barens, could not be reached for comment.

The vast number of computers that Schiefer compromised -- as many as 
250,000 -- highlights a stealthy online crime spree on the rise. These 
botnets, short for "robot networks," remotely harvest personal 
information, including user names and passwords, to give their operators 
access to credit card information and online bank accounts.

Federal law enforcement agencies have stepped up their pursuit of botnet 
operators in recent years as they have drained bank accounts, stolen 
identities and overwhelmed federal authorities, security experts say.

"We have seen a dramatic uptick in the last few years in the number of 
botnets being used to give their masters direct financial gain," said 
Jose Nazario, a senior researcher at online security firm Arbor Networks 
Inc.

Schiefer, who on the Internet went by the handles "acidstorm," "acid" 
and "storm," is the first person to be accused under federal wiretapping 
law of operating a botnet, said Assistant U.S. Atty. Mark Krause in Los 
Angeles.

By intercepting electronic communications, Schiefer stole user names and 
passwords for EBay Inc.'s PayPal online payment service to make 
unauthorized purchases. He also passed the stolen account information on 
to others.

EBay spokesman Hani Durzy could not be reached for comment.

At one point, according to the plea agreement, a conspirator named 
"Adam" expressed concern about stealing money. Schiefer responded by 
reminding Adam that he was not yet 18 and should "quit being a bitch and 
claim it."

Schiefer's indictment caps a federal investigation that began in 2005 
and uncovered a variety of schemes. Prosecutors said Schiefer and his 
cohorts, who were not named, used illicit software they planted on 
people's PCs to spirit account information from a storage area in 
Windows-based computers.

He also was paid by a Dutch Internet advertising company to install its 
programs on people's computers when they consented, but he installed it 
on more than 150,000 PCs without permission, earning more than $19,000 
in commissions.

In all, the federal indictment includes four counts of accessing 
protected computers to commit fraud, disclosing illegally intercepted 
electronic communications, wire fraud and bank fraud. Federal 
authorities said they were still trying to identify victims and the 
scope of their losses.

Schiefer carried out the crimes using computers at his home and office, 
prosecutors said. Henry Park, president of Los Angeles-based 3G 
Communications, where Schiefer worked, could not be reached for comment.

"John Schiefer was an information security professional who betrayed the 
trust that both his employer and society placed in him," Assistant U.S. 
Atty. Krause said.

Krause would not say how federal authorities captured Schiefer or 
whether they planned to charge others in the case. Schiefer has agreed 
to make an initial appearance in Los Angeles on Nov. 28 and to be 
arraigned on Dec. 3.

He could face a long prison stretch. In May 2006, a Downey man, Jeanson 
James Ancheta, was sentenced to almost five years in federal prison 
after pleading guilty to four felony charges for using botnets to spread 
spyware and send spam.

Copyright 2007 Los Angeles Times


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Sun Nov 11 2007 - 22:23:00 PST