Computer Hacker John Schiefer Charged with Wiretapping to Conduct Fraud

John Schiefer, 26, has been charged with and agreed to plead guilty later this month to installing malware on computers, without the knowledge of the computers' owners, in order to intercept private information and conduct identity theft and wire and bank fraud, as announced by the US Attorney's Office and the US Department of Justice. Schiefer is also being charged with defrauding a Dutch advertising company.

The malware, which Schiefer called "spybots", would effectively act as a wiretap on protected computers and would access private communications between that computer and bank accounts, such as those on PayPal. Schiefer and others would then use those communications to find out a users' account name(s), or usernames, and that user's password(s). Schiefer would then access accounts and make purchases unbeknowst to the true owner. Schiefer also admitted to giving those usernames and passwords to others.

This case is the first time that anyone has been indicted and convicted with using "botnets" to conduct identity theft. A "botnet" essentially is a "zombie" computer that performs normally and allows users to do anything they would normally, so that malware, or malicious software, can intercept personal information. The number of computers that Schiefer and his associates infected is estimated at 250,000.

Schiefer also installed malware into computers running Microsoft operating systems, such as Windows. He could then access stored usernames and passwords that the Microsoft software would store in a secure location on the hard drive called the PStore. Schiefer used those usernames and passwords to again access bank accounts, such as PayPal.

Schiefer has also agreed to plead guilty to defrauding a Dutch online advertising company, for whom he was hired as a consultant. Schiefer was supposed to install certain company software on computers. The software was meant to be installed on only computers agreed to by the computer's owner, but instead Schiefer and two others installed the software on computers that they controlled through his malware. Schiefer attempted to avoid this ruse being found out by installing the software on only a small number of his "botnets," approximately numbering 150,000. The advertising company, thinking that Schiefer had legitimately installed a certain number of units of the company's software on computers with the consent of that computer's owner, paid Schiefer nearly $20,000 for his work.

The maximum sentence for these four counts of wire fraud, bank fraud, using protected computers to conduct fraud, and disclosing illegally acquired electronic communications is a statutory 60 years in prison as well as a fine of $1.75 million. Schiefer will appear in court later this month to enter this plea.

Source: US Department of Justice, US Attorney's Office Central District of California