US botnet master confesses to crimes

Security consultant to plead guilty, could face heavy sentence.

A Los Angeles man has agreed to plead guilty to several counts of fraud and unauthorised interfering with computer systems, having built a botnet comprising up to 250,000 machines, installing adware and using harvested data to defraud money from bank accounts, both directly and via PayPal.

The man, 28-year-old John Kenneth Sheifer, worked as an IT security consultant, and is thought to have planted malware on many of the machines he was charged with securing. Along with several co-conspirators, he built up and ran the large networks of infected systems, using data-stealing software to access details of online banking and PayPal accounts. Adware was also installed on the systems to gather affiliate commissions amounting to almost $20,000.

The affiliate fees will be repaid as part of the plea agreement, which results from a lengthy investigation including newly available wire-tapping techniques, and leaves Sheifer facing maximum jail sentences of 60 years and fines of up to $1.75 million. Though such extreme sentences are unlikely, a similar case earlier this year saw a botmaster sentenced to five years in prison.

More details on the case are in the LA Times here or The Register here.

12 November 2007

Tags: botnet, identity theft, legal, sentence. del.icio.us digg this