Home » Data Protection » Network Security

Analysis: Hijacked PayPal Accounts Highlight the Human Element of Fraud

By Scott Berinato

November 12, 2007 — CSO —

Botnet operator, hired as security consultant, faces up to six decades in jail, $1.75M fine

Here’s the news: The United States Department of Justice on Saturday celebrated the guilty plea of a botnet operator from Los Angeles who, according to the DOJ, hijacked PayPal accounts and defrauded a Dutch advertising company for which he had been hired as a security consultant.

According to the DOJ release, John Schiefer, 26, will plead guilty later this month or early next month to four felony counts: accessing protected computers to conduct fraud, disclosing illegally intercepted electronic communications, wire fraud and bank fraud. Schiefer, and two unnamed co-conspirators, managed a botnet of approximately 250,000 PCs and their main scheme seemed to be compromising PayPal usernames and passwords and then using them to make purchases with the victim’s accounts.

In a separate scheme, Schiefer was hired by a Dutch company as a security consultant and paid nearly $20,000. While employed, he managed to install malware on up to 150,000 more computers by using the trust the company placed in him as a paid consultant to gain entree into the systems. With his guilty plea, Schiefer faces up to 60 years in jail and a $1.75 million fine.

Another day, another crime. Now what’s the importance of this case to the average security professional?

The infiltration of the Dutch company, in fact, is the most significant part of the DOJ’s announcement. Perhaps the only significant part. In terms of botnet operations and malware schemes, the 250,000 PC network engineered to steal PayPal data, as described by the DOJ, is relatively small-time and unsophisticated compared to what’s happening on the harder-to-govern international scene. However, creating trust as a consultant to infiltrate a company and gain access to its network, and through that access infiltrate other connected networks, is a more frightening development for businesses. It’s a con in the true sense of the word fragment ("con" comes from "confidence").

It’s a much harder to prevent and detect crime than technical crime because the vulnerability is human trust (see CSO’s in-depth Anatomy of a Fraud). The only role the Internet plays in the Dutch company crime is to exacerbate the weakness by enabling the fraud to propagate nearly instantly. But there’s nothing one can do technically to stop such a crime. Once you’ve got trust, you’ve got access.

Businesses should be taking great care with whom they hire for security services, but are they? With so many security problems to fix and limited budgets to fix them, one can easily imagine any number of companies hiring independent consultants on the fly, ones who are willing to do work for a reasonably low fee. How can companies tell the rogues who are trying to get access to insert malware from the real consultants? That’s not easy. And those with advanced skills will be able to hide their tracks well with anti-forensics. Bigger companies are more vulnerable to such infiltrations because larger organizations have more difficulty enforcing centralized control.