Cyber Law & Crime News

Steven M. Dettelbach, United States Attorney for the Northern District of Ohio, announced today that an Information was filed today charging Mitchell L. Frost, age 22, of Bellevue, Ohio, with one count of causing damage to a protected computer system, and one count of possessing 15 or more unauthorized access devices.

The information charges that between August 2006, and March 2007, while enrolled as an undergraduate student at the University of Akron, Mitchell Frost used the University’s computer network to access IRC channels on the Internet to control other computers and computer networks via computers intentionally infected and taken over, known as “BotNet” zombies, which were located throughout the United States and in other countries.

The information charges that Frost gained access to other computers and computer networks by various means, including scanning the Internet searching for computer networks which were vulnerable to attack or unauthorized intrusion, gaining unauthorized access to and control over such computers, and fraudulently obtaining user names and passwords for users on such systems. Frost then used the compromised computers to spread malicious computer codes, commands and information to even more computers, all for the purpose of harvesting and obtaining information and data from the compromised computer networks, including user names, passwords, credit card numbers, and CVV security codes, and for the purpose of launching Distributed Denial of Service (DDoS) attacks on computer systems and Internet websites.
The information further charges that between August 2006 and March 2007, Frost initiated DDoS attacks on numerous computers connected to the Internet hosting various websites, including www.joinrudy2008.com, www.billoreilly.com, and www.anncoulter.com, among others, temporarily interrupting operation of the websites, which required the site owners to intervene and repair their computer systems.

The information also charges that Frost initiated denial of service attacks against the University of Akron computer server on or about March 14, 2007, which caused the entire University of Akron computer network to be knocked off-line for approximately 8 ½ hours, preventing all students, faculty and staff members from accessing the network. The information charges that this denial of service attack required the University of Akron to employ diagnostic and remedial measures to restore computer service causing losses in excess of $10,000.

If convicted, the defendant’s sentence will be determined by the Court after review of factors unique to this case, including the defendant’s prior criminal record, if any, the defendant’s role in the offense and the characteristics of the violation. In all cases the sentence will not exceed the statutory maximum and in most cases it will be less than the maximum.

This case is being prosecuted by Assistant U.S. Attorney Robert W. Kern, Cybercrime Coordinator for the Cleveland U.S. Attorney’s Office, following an investigation by the Akron Office of the United States Secret Service, the Federal Bureau of Investigation and the University of Akron Police Department.

An information is only a charge and is not evidence of guilt. A defendant is entitled to a fair trial in which it will be the government’s burden to prove guilt beyond a reasonable doubt.

—- Update —-
Convicted on 26 May 2010

Steven M. Dettelbach, United States Attorney for the Northern District of Ohio, announced today Mitchell L. Frost, age 23, of Bellevue, Ohio, appeared before U.S. Magistrate Judge Nancy A. Vecchiarelli and pleaded guilty to a two-count Information filed on May 14, 2010, which charged Frost with causing damage to a protected computer system and possessing
15 or more unauthorized access devices.

According to court documents, Frost admitted that between August 2006, and March 2007, while enrolled as a student at the University of Akron, he used the University’s computer network to access IRC channels on the Internet to control other computers and computer networks via computers intentionally infected and taken over, known as “BotNet” zombies, which were located throughout the United States and in other countries.

Frost also admitted gaining access to other computers and computer networks by various means, including scanning the Internet searching for computer networks which were vulnerable to attack or unauthorized intrusion, gaining unauthorized access to and control over such computers, and fraudulently obtaining user names and passwords for users on such systems. Frost admitted using the compromised computers to spread malicious computer codes, commands and information to even more computers, all for the purpose of harvesting and obtaining information and data from the compromised computer networks, including user names,
passwords, credit card numbers, and CVV security codes, and for the purpose of launching Distributed Denial of Service (DDoS) attacks on computer systems and Internet websites.

Frost admitted that between August 2006 and March 2007, Frost initiated DDoS attacks on numerous computers connected to the Internet hosting various websites, including www.joinrudy2008.com, www.billoreilly.com, and www.anncoulter.com, among others,
temporarily interrupting operation of the websites, which required the site owners to intervene and repair their computer systems.

Frost also admitted initiating denial of service attacks against the University of Akron computer server on or about March 14, 2007, which caused the entire University of Akron computer network to be knocked off-line for approximately 8 ½ hours, preventing all students, faculty and staff members from accessing the network. This denial of service attack required the University of Akron to employ diagnostic and remedial measures to restore computer service causing losses in excess of $10,000. Frost will be sentenced on August 5, 2010, by U.S. District Judge Lesley Wells. His sentence will be determined by the Court after review of factors unique to this case, including his prior criminal record, if any, his role in the offense and the characteristics of the violation. In all cases the sentence will not exceed the statutory maximum and in most cases it will be less than the maximum.

This case is being prosecuted by Assistant U.S. Attorney Robert W. Kern, Cybercrime Coordinator for the Cleveland U.S. Attorney’s Office, following an investigation by the Akron Office of the United States Secret Service, the Federal Bureau of Investigation and the University of Akron Police Department.

source: www.cybercrime.gov

THIBODAUX MAN CHARGED WITH VIOLATION OF DIGITAL MILLENNIUM COPYRIGHT ACT

RENO JEAN DARET, IV, age 28, of Thibodaux, Louisiana, was charged in a one count bill of information with violation of the Digital Millennium Copyright Act, announced U. S. Attorney Jim Letten.

According to the bill of information, between on or about October 26, 2009 and December 14, 2009, for purposes of commercial advantage and private financial gain, DARET knowingly circumvented technological measures that control access to copyrighted works.

DARET faces a maximum term of imprisonment of five (5) years, a fine of $500,000.00 and three (3) years of supervised release following any term of imprisonment. U. S. Attorney Letten reiterated that the bill of information is merely a charge and that the guilt of the defendant must be proven beyond a reasonable doubt.

The case is being investigated by the U.S. Department of Homeland Security, Immigration and Customs Enforcement and is being prosecuted by Assistant United States Attorney G. Dall Kammer.

source: cybercrime.gov

LAS VEGAS MAN PLEADS GUILTY TO CREATING AND SELLING COOKIE-STUFFING PROGRAM

Christopher Kennedy pleaded guilty yesterday to one count of conspiracy to commit wire fraud, United States Attorney Joseph P. Russoniello announced.

In pleading guilty, Kennedy, 28, of Las Vegas, Nev., admitted to creating and selling through his Web site, www.saucekit.com, a cookie-stuffing program, known as “saucekit,” from January 2009 to November 2009.

Cookie-stuffing is the act of depositing a cookie (a text string of code) containing an affiliate Web site’s ID onto an individual’s computer without that individual having clicked on an advertisement or link.

eBay, Inc. maintains an advertising and promotion program, known as the eBay Partner Network (EPN), through which Web sites that display eBay advertisements are reimbursed for referrals. Under the EPN,
eBay pays a referral fee to a Web site when an advertisement directs a Web user to the eBay Web site.

When that user accesses the eBay Web site, a cookie is deposited on
the user’s computer. This cookie contains information identifying the referring Web site (EPN ID) and is used to track whether and when the
user returns to the eBay Web site. A subsequent visit to the eBay Web site results in payment of a referral fee when the user engages in a revenue action, which occurs when the user utilizes eBay’s auction service.

If multiple cookies are present on the user’s computer, which may occur if the user has clicked on several different advertisements before engaging in a revenue action, the most recently deposited cookie (and its corresponding affiliate Web site) is credited for any revenue action. Cookie-stuffing occurs when an individual visits an affiliate Web site or Web page, such as an eBay auction page without clicking on an advertisement or link.

According to court documents, the cookie-stuffing program Saucekit created a cookie containing the affiliate Web site’s EPN ID and placed it onto the individual’s computer. The cookie remained on that individual’s computer for a period of time and, if that individual engaged in a revenue action with eBay, eBay credited
the affiliate. As a result, eBay payed referral fees to an affiliate, even though the individual who visited the affiliate Web site or Web page had not been referred to eBay by that Web site or Web page. In this way, eBay payed its affiliates fees to which they were not entitled.

An information was filed against Kennedy on Feb. 9, 2010. He was charged with one count of conspiracy to commit wire fraud, in violation of 18 U.S.C. § 371. Under the plea agreement, Kennedy pled guilty to the one-count information.

Kennedy has been released on $50,000 bail and is scheduled to be sentenced Nov. 1, 2010. The maximum statutory penalty for each count of conspiracy to commit wire fraud in violation 18 U.S.C. § 371 is five years imprisonment and a fine of $250,000, plus restitution if appropriate. However, any sentence following conviction would be imposed by the court after consideration of the U.S. Sentencing Guidelines and federal statute governing the imposition of a sentence, 18 U.S.C. § 3553.

Hanley Chew is the Assistant U.S. Attorney who is prosecuting the case with the assistance of Lauri Gomez. The guilty plea is the result of an investigation by the United States Secret Service.

source: cybercrime.gov