Crossing over to the dark side: Consultant pleads guilty to identity theft

Darth Vader: You underestimate the power of the Dark Side. If you will not fight, then you will meet your destiny.

Darth Vader: You underestimate the power of the Dark Side. If you will not fight, then you will meet your destiny.  An article on the IOL Technology website discusses a consultant who pleaded guilty on Wednesday to raiding hundreds of thousands of computers.  The article states:

John Schiefer, who worked as a computer security expert, "admitted that he gained access without authorisation to hundreds of thousands of computers in the United States and that he remotely controlled these compromised machines through computer servers," federal prosecutors said in a statement.

"Once in control of the 'zombie" computers, Schiefer used his botnets to search for vulnerabilities in other computers, intercept electronic communications and engage in identity theft," the US Attorney's office said.

Schiefer pleaded guilty to gaining access to protected computers to conduct fraud, divulging illegally intercepted electronic communications, wire fraud and bank fraud, the statement said.

He is the first person in the country to plead guilty to wiretapping charges in connection with the use of botnets, or computers controlled remotely, authorities said.

Schiefer, who used the online name "acidstorm," is to be sentenced on August 20. He faces a maximum of 60 years in federal prison and a fine of $1,75-million (about R13-million).

It's unfortunate and delivers a black-eye to consultants and security researchers everywhere.  While I'd contend that most consultants and researchers are White Hats in their nature, it's hard to shake the thought that we are all evil or malicious.  Hopefully this guy gets his in court.  I wonder how many consultants and researchers are seduced by the dark side and I hope that number is small.

Another article on the subject from states:

The malware, which Schiefer called "spybots", would effectively act as a wiretap on protected computers and would access private communications between that computer and bank accounts, such as those on PayPal. Schiefer and others would then use those communications to find out a users' account name(s), or usernames, and that user's password(s). Schiefer would then access accounts and make purchases unbeknowst to the true owner. Schiefer also admitted to giving those usernames and passwords to others.

This case is the first time that anyone has been indicted and convicted with using "botnets" to conduct identity theft. A "botnet" essentially is a "zombie" computer that performs normally and allows users to do anything they would normally, so that malware, or malicious software, can intercept personal information. The number of computers that Schiefer and his associates infected is estimated at 250,000.

250,000 infected is no small change.  Another article on mentioned:

Schiefer, who went by names such as "Acid" and "Acidstorm," has long been a fixture in underground hacking circles. He sometimes adorned his instant message handles with phrases such as "remember the name or feel the pain" and "crime pays, and it also has an excellent benefits package." He was employed at a Los Angeles-based security firm known as 3G Communications, where he sometimes carried out his crimes, according to court documents.

I wonder what kind of background investigation 3G did on this guy? I've got one comment for "Acidstorm"... I hear that federal prison has an "excellent benefits package", so enjoy yourself.