Hacker gets four years for botnet attacks

A search engine employee has been given a four year jail sentence after infecting 250,000 PCs with malicious botnets.


A search engine employee has been given a four-year jail sentence after infecting 250,000 PCs with malicious botnets.

Mahalo employee John Schiefer, a 27-year-old Los Angeles resident, was ordered to pay US$2,500 in fines. He was arrested in 2007 as part of an investigation against botnet makers, called Operation Bot Roast II.

The case marks the first time that someone has been charged with operating a botnet under US wiretapping laws. Schiefer could have been sentenced to as much as five years in prison on the charges.

Schiefer, a former security researcher, agreed to plead guilty to stealing usernames, passwords and financial data from more than 250,000 compromised systems, then installing adware on the massive botnet that he and several accomplices set up.

The guilty plea was formally entered and accepted last April, and sentencing was originally scheduled for last August but was extended several times because of motions filed by Schiefer. He faced a maximum of 60 years in prison and fines of $1.75 million after admitting to four felony counts involving illegal access to computers, illegal interception of data and wire fraud.

Schiefer, who used the online handle "acidstorm" as well as both "acid" and "storm," worked until early 2006 as a security consultant at a Los Angeles-based network services provider named 3G Communications

According to court documents, Schiefer used both home and work computers as part of the data theft scheme, in which he and his accomplices compromised systems and planted malware that added the machines to their botnet and enabled the cybercrooks to intercept and capture communications between the systems and various websites.

The documents said that Schiefer and his cohorts sifted through the intercepted data looking for usernames and passwords to PayPal and online bank accounts, then used the information to make fraudulent purchases and transfer funds out of the accounts.

The data thieves also used malware to steal user credentials directly from the Protected Storage, or PStore, subsystem offered in older versions of Windows. According to law enforcement officials, the malware would capture supposedly secure information from PStore and send it to servers controlled by Schiefer and his accomplices, at least one of whom was allegedly a minor.

In addition, Schiefer admitted to illegally installing adware programs on nearly 150,000 of the compromised systems without the consent of their owners. The adware was installed on the behalf of a Netherlands-based Internet advertising firm that had contracted with Schiefer to do the work, but the contract terms required him to get consent from users before doing installations.

When Schiefer agreed to plead guilty to the charges against him, he also said he would pay nearly $20,000 in restitution to the Dutch company and to financial institutions that he had defrauded, according to court documents.

But his former employers, Mahalo executives didn't know about his criminal activities when they hired him. In a blog posting, Mahalo founder Jason Calacanis said company CTO Mark Jeffrey had "screwed up by not doing a simple Google search on John's name", but he stood by his employee, saying there is a fine line between hackers "who put one foot over the line" and commit minor indiscretions, and others like Schiefer, who "race past it".

"I consider myself a fairly decent judge of character, and after spending months with John, I'm convinced he was an angry stupid kid when he launched his botnet attack (which did .000000001 percent of the damage it could have)," Calacanis said.

"Now he's an adult who just wants to make a decent living, spend time with his significant other and breathe the clean air off the Pacific Ocean by our offices in Santa Monica."

"When he comes out, I hope to be able to offer him a job and that we can work together again," Calacanis said.

Schiefer used several partners in the scheme - some of them minors whom he "bullied ... into participating in the crimes," said prosecutors in the suit.

In another scam, a Dutch online marketing company called Simpel Internet paid him more than $19,000 for installing the company's TopConverting adware on PCs, which he did without the consent of his victims. As part of his plea agreement, Schiefer will pay $20,000 in restitution to Simpel Internet and the financial institutions he defrauded.

He also used the botnet to launch distributed denial of service (DDOS) attacks, and in an interview with the FBI he claimed to have knocked the Los Angeles Times' website offline, prosecutors said.

Schiefer seemed happy with the money he was making from his scams. According to evidence entered into court, another one of his instant messaging signatures read: "Crime pays, and it also has an excellent benefits package".

"Recommended For You"

Michigan woman pleads guilty to selling $400,000 worth of fake software Ex-BP engineer convicted over deleted text messages in Deepwater Horizon case