Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Bot Herder Admits Infecting 250K Machines

Posted by kdawson on from the security-consultant-gone-wild dept.

AceCaseOR writes "In Los Angeles criminal court, security consultant John Schiefer, 26, has admitted infecting the systems of his clients with viruses to form a botnet containing a maximum of 250,000 systems. Schiefer used his zombies to steal users' PayPal usernames and passwords to make unauthorized purchases, as well as to install adware on their computers without their consent. Schiefer agreed to plead guilty to four felony charges of accessing protected computers to commit fraud, disclosing illegally intercepted electronic communications, wire fraud, and bank fraud. He will be sentenced Dec. 3 and faces up to 60 years in prison and a fine of $1.75 million."

25 of 206 comments (clear)

  1. from the article by Anonymous Coward · · Score: 5, Funny

    "...a system so simple even a grandmother could use it to infect computers..."

    As a feminist, and a grandmother, i resent that.

  2. Unfortunately, I was a victim by Anonymous Coward · · Score: 4, Funny

    The adware and viruses he installed slowed my system down, so I couldn't get first post.

  3. less than 15 cents per infected computer ... by tomhudson · · Score: 3, Insightful

    According to the article, this jerk got $19,000 for dumping adware on more than 150,000 pcs.

    He also encouraged minors to act as go-betweens:

    At one point, according to the plea agreement, a conspirator named "Adam" expressed concern about stealing money. Schiefer responded by reminding Adam that he was not yet 18 and should "quit being a bitch and claim it

    Obviously he had more than one kid "working" for him. He probably agreed to the plea-bargain because otherwise he'd be facing total possible time of several hundred years.

    However, he won't be hired by anyone in the computer field after this - what he did was a simple con, no "computer wizardry" required. Hans Reiser would have more chance after a murder conviction.

  4. A better article, names companies involved, etc. by trolltalk.com · · Score: 5, Informative
    http://www.scamfraudalert.com/f142/john-kenneth-schiefer-botmaster-aka-acid-acidstorm-pleads-guilty-10692/

    1. He was employed at a Los Angeles-based security firm known as 3G Communications,
    2. The malware contained a sniffing feature that siphoned PayPal credentials from Protected Store, a section of Windows that stores passwords users have opted to have saved. Although Pstore, as the Windows feature is often called, encrypts the information before storing it, Schiefer's malware was able to read it, presumably by escalating its Windows privileges.
    3. On one occasion, in December 2005, he moved money out of a Suffolk National Bank account to buy undisclosed domain names from a registrar by the name of Dynadot
    4. Schiefer also used the botnet to collect more than $19,000 in commissions from a Dutch company called Simpel Internet for installing its adware on end users' machines without their permission.
    --
    Kevin Smith on Prince
  5. Auditing, Auditing... by BoRegardless · · Score: 4, Interesting

    This is why companies have outside auditors for their accounting departments.

    Should not companies now figure out how to audit their IT deparments regularly?

    This is NOT that uncommon, after reading some of the stuff written by the forensic snoops hired by private companies (who mostly do not want anyone to know that anything was compromised...shareholders & investors for instance).

    1. Re:Auditing, Auditing... by thatskinnyguy · · Score: 3, Interesting

      As it seems from the summary, the companies who fell prey to this malfeasance either don't have IT departments or the budget to support one. I used to work for a company that was an outsourcing service provider for companies' IT needs. It's surprising how many well-established companies don't want to put the resources into a dedicated IT department let alone a special division for auditing the computerized processes and systems that keep the business afloat.

      --
      The game.
  6. Re:White collar by Dogtanian · · Score: 5, Insightful

    He'll get 5 years at a country club and a bunch of great job offers after he gets out. You heard it here first. Actually, I suspect that there's going to be a major perceived difference between someone who has simply hacked into others' computers in the past, and someone who has specifically exploited the trust of and targeted those who employed him to protect their PCs.

    Would I trust a former black-hat hacker to protect my computers? Possibly. Would I trust someone who has specifically targeted and screwed over his clients in the past- the people who paid him good money to protect them from such behaviour? Would I fuck.
    --
    "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
  7. What about Sony by 31415926535897 · · Score: 3, Interesting

    If he gets a fine this large and jail time for infecting 0.25 million computers, where's the appropriate sentence for Sony for knowingly infecting millions of computers with the rootkit on their CDs?

    1. Re:What about Sony by Kjella · · Score: 3, Informative

      If he gets a fine this large and jail time for infecting 0.25 million computers, where's the appropriate sentence for Sony for knowingly infecting millions of computers with the rootkit on their CDs? Ah, you can just hear the angry raving mob forming, ready to burn down Sony headquarters.

      four felony charges of accessing protected computers to commit fraud, disclosing illegally intercepted electronic communications, wire fraud, and bank fraud. Maybe when Sony has actually committed anything like this? The only charge that has the slightest whiff of relevance is that the rootkit CDs may be be considered fraudulent, but to legally charge Sony with fraud they must gain some benefit through fraud, and I don't see what that could be. Yes, they should have been slapped under some sort of hacking law but this is comparing apples and oranges.
      --
      Live today, because you never know what tomorrow brings
  8. He did the crime....he should do the time by Joce640k · · Score: 5, Insightful

    He knowingly, willingly and maliciously did this. It wasn't an accident, a crime of passion or something he did because he was drunk one night, it took real work over many months. He was well aware of what he was doing the whole time he was doing it.

    The proverbial book needs to be thrown at people like this. These are precisely the sort of people we should be making an example of.

    --
    No sig today...
    1. Re:He did the crime....he should do the time by rbannon · · Score: 3, Interesting

      You said, ``hell, he admitted it.''

      Fact is, admitting to a crime is not the same as being guilty. I'm not saying he's not guilty, but knowing how the system works casts serious doubts in my mind about his guilt.

  9. Re:"security consultant" John Schiefer by mrbluze · · Score: 4, Insightful

    Please don't insult the thousands of honest security consultants by calling this guy a "security consultant." The title of "con artist" would be far more accurate.

    Ok, but what is a security consultant? I have a friend who is a colour consultant but she has no education and drives around in a small car telling people what curtains to buy and clothes to wear. Another colour consultant I met almost made me buy pink curtains... whew, lucky I checked her credentials. She was colour blind!

    These days, using the word "consultant" outside of strictly regulated industries (eg: medical field) is just a method of social 'privilege escalation', as far as I'm concerned.

    --
    Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
  10. Crime and Punishment by Synonymous+Bosch · · Score: 3, Interesting

    There's nothing constructive to derive from this post but pointless speculation. Let that take care of the concerns of the trolls and critics right off the bat, nothing to see here, move along.

    Anyways, I've been doing a bit of thinking about this issue.

    You often hear about 'white collar' criminals being given massive sentences. They could be organisers of international software piracy rings, super electronic fraudsters (like the one mentioned in the original parent article), whatever. The numbers of years they are sentenced to and dollars they are fined just seem to get bigger and bigger each time i hear a new story.

    New laws are increasingly being passed to raise the penalties for electronic crimes. These harsher penalties don't seem to be acting as much of a deterrent, however.

    The economic damage caused by internet and computer crime is staggering, the number of victims (as seen in the article) in the hundreds of thousands, potentially even millions. Could there come a time where these crimes could incur capital punishment?

    disclaimer: i come from a country without the death penalty, and personally don't understand the necessity for it, so don't read this as my supporting the idea. This isn't about my personal philosophy.

    Murder is already a capital crime in a number of US states. People are already being executed in many countries for crimes other than murder. Drug trafficking, serious sexual offences, could it be a relatively a small step for internet crimes to escalate into capital territory?

    The internet being international as it is and the victims of these crimes often being selected so indiscriminately, could it be a matter of time before an american committing e-fraud is indicted in a country where his crimes are of a capital nature?

    Extrapolating ludicrously, could a european citizen not subject to capital punishment be indicted by an america where their internet-based crime warrants the death penalty?

    It's controversial enough when a citizen of a country that doesn't have the death penalty is sentenced to death in one that does. Imagine if the crime they committed was something we might look at as being comparatively trivial in nature.

    1. Re:Crime and Punishment by despisethesun · · Score: 4, Informative

      Extrapolating ludicrously, could a european citizen not subject to capital punishment be indicted by an america where their internet-based crime warrants the death penalty?
      It's worth noting that most countries without the death penalty will not extradite you to a country with the death penalty if you're facing that punishment when you get there. They generally require assurances that you will face life without parole if convicted instead.
      --
      This poo is cold.
    2. Re:Crime and Punishment by AceCaseOR · · Score: 3, Informative

      Murder is already a capital crime in a number of US states. People are already being executed in many countries for crimes other than murder. Drug trafficking, serious sexual offences, could it be a relatively a small step for internet crimes to escalate into capital territory? I'm going to say this isn't very likely. At least in the US, people are only executed for crimes where they cause direct physical harm to another person (generally murder and occasionally rape). For other offences you generally get a life sentence, or defacto life sentence (say 135 years in the clink).
      --
      Zagreus sits inside your head, Zagreus lives among the dead, Zagreus sees you in your bed and eats you in your sleep.
  11. Re:Whoa! by brassman · · Score: 5, Insightful

    Indeed, it's worth stressing why the penalty should be so severe. The guy positioned himself as a security expert, offering to protect his clients against this very sort of thing.

    Gaining someone's trust with the intent to betray it is a particularly pernicious form of moral rot. It is called "embezzlement," and there is a reason it is viewed even more harshly than burglary or robbery under the law.

    Losing property to a hostile stranger does not turn society upside down. Burglary (taking someone's property) is often considered rather petty, especially when the property owner is absent.

    Robbery (taking property directly from someone) is more serious -- but even though there is an active component of threat, it can be impersonal: "Hand it over and nobody gets hurt." Robbery without violence might disrupt the victim's life, but the disruption might be only to the extent that he or she is reminded that none of us is an invulnerable superbeing.

    Embezzling someone's assets invalidates their judgment and throws every decision they have ever made into question. It is psychologically devastating. When someone who has promised to protect you is instead the one who steals from you, he is undermining the basis of civilization itself.

    --
    "Ain't no right way to do a wrong thing."
  12. Re:broken justice? by RenderSeven · · Score: 5, Informative

    I guess he can always appeal, right?

    You cant appeal a guilty plea.
  13. 3G Communications may go under because of him by Joce640k · · Score: 4, Interesting

    3G Communications may also go under because of this guy's actions.

    Would you trust them after this?

    --
    No sig today...
  14. Re:Corrupting the mind of youths by tftp · · Score: 4, Funny

    Unfortunately, ancient Greeks had nothing against corrupting the bodies of youths.

  15. Re:"security consultant" John Schiefer by Anonymous Coward · · Score: 5, Funny

    Quoth dogbert, "I like to con people. And I like to insult people. If you combine con & insult, you get consult!"

  16. Re:Whoa! by Grave · · Score: 5, Insightful

    I don't believe he meant to put down the experience of being robbed. Rather, I believe his point was that the morality of a person who commits of robbery is not quite as damaged and evil as someone who knowingly gains the trust of thousands just to deceive them. To the victim the difference may not be significant, but for the perpetrator of the act it is very different, and thus deserving of a more substantial punishment. Though I must say, he's not going to serve 60 years - that's the max, and I find it hard to believe any judge is going to sentence him to the full time, as it would be pretty much the rest of his life.

  17. Hard punishment? Hardly. by Opportunist · · Score: 4, Interesting

    I'm the last person to support insane prison time and fines as a deterrent. It ain't one. It never has been and never will be. Look at the insane punishments we got today for copyright infringement. And I'm not even talking about the civil suits for "damages" (or as I like to call it "the MI's new business model"). We now got 10 years prison time for that as a maximum sentence. For the same penalty, I could rob a bank, hold people hostage for a few hours and wreck a getaway card into a school.

    This isn't just a "simple" criminal using malware to steal IDs. He was the guy who was supposed to disallow exactly that. He was the one people trusted to keep them clean from malware. Now, he didn't just fail in his job and allow it despite his attempts, he deliberately and intentionally infected his clients' computers.

    That's why I don't think this punishment is overdone. We're talking about the maybe most insidious way of breaking a law: Getting people's trust, getting them to believe you you're going to keep them save from just what you want to do to them. It's like a cop breaking into your home or your babysitter ... ok, no thinkofthechildren examples. But you get the idea.

    This is NOT the punishment I'd see as adequate for a "normal" malware attacker (even though I would love to see them dangling from their dangling bits, but that's my personal opinion).

    As for those that expect him to get out after 5 years and have a great job then, I can tell you this: I can't say anything about his time, but his job opportunities are going to be slim. The security industry isn't big. People know each other. People like this are going to be not known, they are infamous. And nobody will willingly touch him with a 10 foot pole.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  18. Re:"security consultant" John Schiefer by cmacb · · Score: 4, Funny

    These days, using the word "consultant" outside of strictly regulated industries (eg: medical field) is just a method of social 'privilege escalation', as far as I'm concerned.


    If you need any help telling the real consultants from the phony ones, just contact me, I'm a Consultant Consultant, although our industry association is considering a name change to "Consultant 3.0".

    Thx
  19. Re:Whoa! by MillionthMonkey · · Score: 3, Funny

    How many kilowatt-hours were devoted to this nonsense? How many tons of coal were burned to support a botnet of a quarter million computers? How many microkelvin did the resulting carbon dioxide raise the planet's temperature? How many square meters of ice cover did we lose? How many polar bears drowned or froze to death? There's a good Google interview question in here somewhere.

    Of course one might ask how many polar bears Google itself has on its conscience but that's the wrong response to give at the interview.

  20. Re:White collar by MillionthMonkey · · Score: 5, Insightful

    What kind of fucking lunatic would hire somebody who has PROVEN that he says he's one thing but is actually another?

    Oh you'd be surprised. This guy might have a bright future ahead of him in politics.