Enterprise Security

Three Charged in Hacking Case That Spammed 60M

Federal prosecutors in New Jersey on Tuesday charged three men in a US$2 million identity theft scheme to hack corporate computer systems and blast spam messages to more than 60 million people.

Timothy Edward Livingston, 30, of Boca Raton, Fla., Tomasz Chmielarz 32, of Rutherford, N.J., and Devin James McArthur, 27, of Ellicott City, Md., were charged with conspiracy to commit fraud and related activity in connection with computers and conspiracy to commit wire fraud, according to U.S. Attorney Paul Fishman’s office. Livingston and Chmielarz also were charged with fraud and related activity in connection with electronic mail.

The defendants face up to 20 years in prison and $250,000 in fines on the wire fraud charges, and up to five years in prison and $250,000 in fines on the email and computer conspiracy charges, according to prosecutors.

In addition, the indictment indicates $299,653 held in several Wells Fargo bank accounts in Livingston’s name or the corporate name are subject to forfeiture, as well as a Scottrade account in Livingston’s name, a 2006 Ferrari F430 Spider Convertible, which was seized in July in Ft. Lauderdale, Fla., and a 2009 Cadillac Escalade.

Michael Koribanics, attorney for Chmielarz, told the E-Commerce Times on Tuesday that his client planned to enter a not guilty plea at a hearing scheduled for later in the day before U.S. Magistrate Judge Michael Hammer in Newark federal court.

His office was investigating the allegations, Koribanics added.

McArthur was scheduled to appear Tuesday before U.S. Magistrate Judge Beth Gesner in Maryland; however, no information was immediately available about representation.

Livingston had an initial appearance earlier Tuesday before U.S. Magistrate Judge Alicia O. Valle in Ft. Lauderdale, Fla., and was being detained pending a Friday bail hearing, prosecutors said. His attorney Jeffrey Cox, of Boca Raton, Fla., was not immediately available for comment.

The Allegations

Starting in 2011, Livingston and others operated a company called “A Whole Lot of Nothing,” which specialized in sending spam email on behalf of clients, prosecutors alleged.

Their clients ranged from legitimate business such as insurance firms that wanted to send out bulk emails to customers, to illegal pharmacies that sold narcotics without a prescription, according to the allegations.

Livingston typically charged anywhere from $5 to $9 for each email that resulted in a completed transaction, prosecutors said.

The corporate victims allegedly included an unnamed telecommunications firm based in New York, a technology and consulting firm in New York, a credit monitoring firm based in Texas, and a telecommunications firm based in Pennsylvania.

The ISPs started using blocking software to help cut down on the spam messages, but in January 2012, Livingston allegedly solicited Chmielarz to write computer programs designed to conceal the identity of the sender and bypass the spam filters.

The two men are accused of using proxy servers to send out spam, and enlisting botnets to help avoid spam blockers, the prosecutors said.

Livingston also registered certain websites in the name of “Mark Lloyd,” an alias he used, based on the allegations.

The two men hacked into the accounts of certain individuals and then took control of some of their corporate victims to further the spam email campaign, according to the prosecution.

Livingston and Chmielarz allegedly worked together with the third defendant, McArthur, to steal confidential information of corporate victims, including databases containing the personally identifiable information of millions of Americans.

Livingston and Chmielarz in 2013 began discussing a third corporate victim, according to the charges.

Livingston allegedly told Chmielarz in an online chat that he needed to scrape the website of a third corporate victim, the prosecutors alleged, and later paid Chmielarz to write a program that stole the information of 10 million people from a database of that company.

McArthur worked as a sales representative at a fourth company from February 2014 to February 2015. By August 2014, he allegedly provided Livingston with access to a remote administration tool to steal from that company, including the names, addresses, email addresses and phone numbers of current, former and potential customers.

The fourth company had more than 50 million people in its corporate database, and Livingston and McArthur allegedly gained access to 25.4 million records, the prosecutors claimed.

Pervasive Problem

Spam messages are among the most common means of accessing personal data.

An average of 1.5 million deceptive emails are sent, particularly to business users, on a daily basis, according to GreatHorn, which has analyzed more than 20 million emails in the past two months.

“This problem isn’t only pervasive — it’s also incredibly effective,” said GreatHorn CEO Kevin O’Brien.

“Over 90 percent of all known data breaches start with this kind of an attack,” he told the E-Commerce Times.

These types of attacks cost one company more than $47 million, O’Brien said, with the chief financial officer targeted four times.

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by David Jones
More in Enterprise Security

E-Commerce Times Channels