The first person to be charged under American wiretap statutes for using a botnet to steal data and commit fraud was sentenced to four years in prison last week.
John Schiefer, a 27-year-old Los Angeles resident, was also ordered to pay US$2,500 in fines. The sentence was handed down Wednesday by U.S. District Judge Howard Matz in federal court in Los Angeles.
Schiefer, a former security researcher, agreed to plead guilty in November 2007 to stealing usernames, passwords and financial data from more than 250,000 compromised systems, then installing adware on the massive botnet that he and several accomplices set up.
The guilty plea was formally entered and accepted last April, and sentencing was originally scheduled for last August but was extended several times because of motions filed by Schiefer. He faced a maximum of 60 years in prison and fines of $1.75 million after admitting to four felony counts involving illegal access to computers, illegal interception of data and wire fraud.
Schiefer, who used the online handle “acidstorm” as well as both “acid” and “storm,” worked until early 2006 as a security consultant at a Los Angeles-based network services provider named 3G Communications Corp.
According to court documents, Schiefer used both home and work computers as part of the data theft scheme, in which he and his accomplices compromised systems and planted malware that added the machines to their botnet and enabled the cybercrooks to intercept and capture communications between the systems and various Web sites.
The documents said that Schiefer and his cohorts sifted through the intercepted data looking for usernames and passwords to PayPal and online bank accounts, then used the information to make fraudulent purchases and transfer funds out of the accounts.
The data thieves also used malware to steal user credentials directly from the Protected Storage, or PStore, subsystem offered in older versions of Windows. According to law enforcement officials, the malware would capture supposedly secure information from PStore and send it to servers controlled by Schiefer and his accomplices, at least one of whom was allegedly a minor.
In addition, Schiefer admitted to illegally installing adware programs on nearly 150,000 of the compromised systems without the consent of their owners. The adware was installed on the behalf of a Netherlands-based Internet advertising firm that had contracted with Schiefer to do the work, but the contract terms required him to get consent from users before doing installations.
When Schiefer agreed to plead guilty to the charges against him, he also said he would pay nearly $20,000 in restitution to the Dutch company and to financial institutions that he had defrauded, according to court documents.