<h1><font size="2">UNITED
STATES: Computer Security Consultant Charged With Infecting Up to a
Quarter Million Computers that Were Used to Wiretap, Engage in Identity
Theft, Defraud Banks</font> </h1><a href="http://www.ibls.com/internet_law_news_portal_view.aspx?s=sa&id=1147">http://www.ibls.com/internet_law_news_portal_view.aspx?s=sa&id=1147</a><br><div class="articleButtons">
<em class="light">Wednesday, January 30, 2008</em><br></div><font size="2">
</font><p align="justify"><font size="2"><font face="Arial,Helvetica,sans-serif">In
the first prosecution of its kind in the nation, a well-known member of
the "botnet underground" was charged today with using "botnets" -
armies of compromised computers - to steal the identities of victims
across the country by extracting information from their personal
computers and wiretapping their communications. </font></font></p>
<p align="justify"><font size="2"><font face="Arial,Helvetica,sans-serif"> John
Schiefer, 26, of Los Angeles (90011), has agreed to plead guilty to
four felony counts: accessing protected computers to conduct fraud,
disclosing illegally intercepted electronic communications, wire fraud
and bank fraud. </font></font></p>
<p align="justify"><font size="2"><font face="Arial,Helvetica,sans-serif"> The
criminal information and plea agreement filed this morning in United
States District Court in Los Angeles outline a series of schemes in
which Schiefer and several associates developed malicious computer code
and distributed that code to vulnerable computers. Schiefer and the
others used the illicitly installed code to assemble armies of up to
250,000 infected computers, which they used to engage in a variety of
identity theft schemes. Schiefer also used the compromised computers to
defraud a Dutch advertising company. </font></font></p>
<p align="justify"><font size="2"><font face="Arial,Helvetica,sans-serif"> In
his plea agreement, Schiefer acknowledged installing malicious computer
code, or "malware," that acted as a wiretap on compromised computers.
Because the users of those compromised computers were unaware that
their computers had been turned into "zombies," they continued to use
their computers to engage in commercial activities. Schiefer used the
malware, which he called a "spybot," to intercept electronic
communications being sent over the Internet from those zombie computers
to <a href="http://www.paypal.com">www.paypal.com</a> and other websites. Once in possession of those
intercepted communications, Schiefer and the others sifted through the
data to mine usernames and passwords. With Paypal usernames and
passwords, Schiefer and the others accessed bank accounts to make
purchases without the consent of the true owners. Schiefer also
acknowledged in the plea agreement that he transferred both the
wiretapped communications and the stolen Paypal information to others.
It is the first time in the nation that someone has been charged under
the federal wiretap statute for conduct related to botnets. </font></font></p>
<p align="justify"><font size="2"><font face="Arial,Helvetica,sans-serif"> In
another scheme, Schiefer installed malware on zombie computers running
Microsoft operating systems, causing them to disgorge usernames and
passwords from a secure storage area known as the PStore. Schiefer and
his co-schemers caused the zombie computers to send that account access
information to computers that Schiefer and his co-schemers controlled.
Once again, Schiefer located Paypal usernames and passwords among this
data and used that authentication information to access victim bank
accounts. </font></font></p>
<p align="justify"><font size="2"><font face="Arial,Helvetica,sans-serif"> Finally,
Schiefer acknowledged defrauding an Internet advertising company with
his botnets. Schiefer signed up as a consultant with a Dutch Internet
advertising company and promised to install the company''s programs on
computers only when the owners gave consent. Instead, Schiefer and two
co-schemers installed that program on approximately 150,000 computers
that were infected with their malware. To avoid detection by the
advertising company, Schiefer instructed his associates to moderate the
number of installations so it appeared that the installations were
legitimate and not the result of a malicious computer program that was
propagating itself. Schiefer was ultimately paid more than $19,128.35
by the advertising company. </font></font></p>
<p align="justify"><font size="2"><font face="Arial,Helvetica,sans-serif"> Schiefer has agreed to make an initial appearance in Los Angeles on November 28 and to be arraigned on December 3. </font></font></p>
<p align="justify"><font size="2"><font face="Arial,Helvetica,sans-serif"> Once
he pleads guilty to the four counts, Schiefer will face a statutory
maximum sentence of 60 years in federal prison and a fine of $1.75
million. </font></font></p>
<p align="justify"><font size="2"><font face="Arial,Helvetica,sans-serif"> This case was investigated by the Federal Bureau of Investigation. </font></font></p>
<p align="justify"><font size="2"><font face="Arial,Helvetica,sans-serif"> By the Federa Bureau of Investigations- FBI.</font></font></p>