John Schiefer, 27, of Los Angeles, who used the online handle “acidstorm,” pleaded guilty last year to accessing protected computers to conduct fraud, disclosing illegally intercepted electronic communications, wire fraud and bank fraud. Schiefer was sentenced by United States District Judge A. Howard Matz, who also ordered the defendant to pay a $2,500 fine.
When he pleaded guilty, Schiefer admitted that he illegally accessed hundreds of thousands of computers in the United States and that he remotely controlled these compromised machines through computer servers. Once in control of the “zombie” computers, Schiefer used his botnets to search for vulnerabilities in other computers, intercept electronic communications and engage in identity theft.
In connection with the wiretapping scheme, Schiefer admitted that he and others installed malicious computer code, known as “malware,” on zombie computers that captured electronic communications as they were sent from users’ computers. Because victims with compromised computers did not know that their computers had become infected and were “bots,” they continued to use their computers to engage in commercial activities, such as making online purchases. Schiefer’s “spybot” malware allowed him to intercept communications sent between victims’ computers and financial institutions, such as PayPal.
Schiefer sifted through those intercepted communications and mined usernames and passwords to accounts. Using the stolen usernames and passwords, Schiefer made purchases and transferred funds without the consent of the victims. Schiefer also gave the stolen usernames and passwords, as well as the wiretapped communications, to others. Schiefer is the first person in the nation to plead guilty to wiretapping charges in connection with the use of botnets.
Schiefer also admitted stealing information from numerous computers by accessing the PStore, which is intended to be a secure storage area of computers running Microsoft operating systems. To accomplish this, Schiefer installed malware on computers that caused them to send account access information, including usernames and passwords for PayPal and other financial websites, to computers controlled by Schiefer and others.
Schiefer used that information to make unauthorized purchases using funds transferred directly from victims’ bank accounts. Finally, Schiefer admitted defrauding a Dutch Internet advertising company with his armies of zombie computers. Schiefer signed up as a consultant with the advertising company and promised to install the company’s programs on computers only when the owners of those computers gave consent. Instead, Schiefer and two co-schemers installed that program on approximately 150,000 zombie computers whose owners did not give consent. Schiefer was ultimately paid more than $19,000 by the advertising company.
In addition to his guilty pleas to the criminal charges, Schiefer has agreed to pay approximately $20,000 in restitution to the Dutch advertising company and financial institutions that he defrauded. This case was investigated by the Federal Bureau of Investigation.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.