By Jessica Guynn
Los Angeles Times Staff Writer
November 10, 2007
A Los Angeles man entrusted with making personal computers safer has
admitted to hacking into them to create a rogue network of as many as a
quarter-million PCs, which he used to steal money and identities.
Federal prosecutors Friday said that John Kenneth Schiefer, a
26-year-old computer security consultant, used an army of hijacked
computers, known as a "botnet," to carry out a variety of schemes to rip
off unsuspecting consumers and corporations.
Schiefer agreed to plead guilty to four felony charges in connection
with the case and faces up to 60 years in prison and a $1.75-million
fine, according to court documents filed Friday in federal court in Los
His lawyer, Arthur Barens, could not be reached for comment.
The vast number of computers that Schiefer compromised -- as many as
250,000 -- highlights a stealthy online crime spree on the rise. These
botnets, short for "robot networks," remotely harvest personal
information, including user names and passwords, to give their operators
access to credit card information and online bank accounts.
Federal law enforcement agencies have stepped up their pursuit of botnet
operators in recent years as they have drained bank accounts, stolen
identities and overwhelmed federal authorities, security experts say.
"We have seen a dramatic uptick in the last few years in the number of
botnets being used to give their masters direct financial gain," said
Jose Nazario, a senior researcher at online security firm Arbor Networks
Schiefer, who on the Internet went by the handles "acidstorm," "acid"
and "storm," is the first person to be accused under federal wiretapping
law of operating a botnet, said Assistant U.S. Atty. Mark Krause in Los
By intercepting electronic communications, Schiefer stole user names and
passwords for EBay Inc.'s PayPal online payment service to make
unauthorized purchases. He also passed the stolen account information on
EBay spokesman Hani Durzy could not be reached for comment.
At one point, according to the plea agreement, a conspirator named
"Adam" expressed concern about stealing money. Schiefer responded by
reminding Adam that he was not yet 18 and should "quit being a bitch and
Schiefer's indictment caps a federal investigation that began in 2005
and uncovered a variety of schemes. Prosecutors said Schiefer and his
cohorts, who were not named, used illicit software they planted on
people's PCs to spirit account information from a storage area in
He also was paid by a Dutch Internet advertising company to install its
programs on people's computers when they consented, but he installed it
on more than 150,000 PCs without permission, earning more than $19,000
In all, the federal indictment includes four counts of accessing
protected computers to commit fraud, disclosing illegally intercepted
electronic communications, wire fraud and bank fraud. Federal
authorities said they were still trying to identify victims and the
scope of their losses.
Schiefer carried out the crimes using computers at his home and office,
prosecutors said. Henry Park, president of Los Angeles-based 3G
Communications, where Schiefer worked, could not be reached for comment.
"John Schiefer was an information security professional who betrayed the
trust that both his employer and society placed in him," Assistant U.S.
Atty. Krause said.
Krause would not say how federal authorities captured Schiefer or
whether they planned to charge others in the case. Schiefer has agreed
to make an initial appearance in Los Angeles on Nov. 28 and to be
arraigned on Dec. 3.
He could face a long prison stretch. In May 2006, a Downey man, Jeanson
James Ancheta, was sentenced to almost five years in federal prison
after pleading guilty to four felony charges for using botnets to spread
spyware and send spam.
Copyright 2007 Los Angeles Times
Visit InfoSec News