Student Charged With Hacking Stock Account
By Carrie Johnson and Mike MusgroveWashington Post Staff Writers
Friday, October 10, 2003; Page A01
A college student was arrested yesterday on charges of hacking into someone else's online brokerage account and sticking him with an investment loss of more than $40,000 after the student obtained password information with surreptitiously installed software that recorded the investor's computer keystrokes.
According to federal prosecutors and the Securities and Exchange Commission, Drexel University student Van T. Dinh, 19, lured victims to a Web site with a request for help in testing software he had written that tracked stock price moves. But, officials said, the program was really a subterfuge that installed a program called the Beast, which, when downloaded onto a computer, can track every character the user types and relay them to a hacker.
Yesterday's announcement by authorities in Washington and Massachusetts -- a story that combines identity theft, computer hacking and securities fraud -- is the latest cautionary tale for consumers and investors in the electronic marketplace.
In recent years, especially as the economy boomed in the late 1990s, millions of people flocked online to buy and sell stock. There were more than 20 million online trading accounts in the United States as of Dec. 31, 2002, according to the research firm Gomez Inc.
Investigators were alerted to the situation by the Westborough, Mass., victim in July. They said they traced electronic footprints, including trading records, banking data and Internet protocol addresses, which led them to Dinh. They said that Dinh, in taking so many steps to disguise his identity, inadvertently left a detailed trail of evidence.
"The more elaborate the scheme, the easier it is to catch the bad guy," said John Reed Stark, chief of the SEC's office of Internet enforcement. The unit has brought 425 Internet-related securities cases since 1995, but most involved insider trading or falsely touting stocks, Stark said.
"In all my years here, I've never seen a case like this," he said.
Massachusetts U.S. Attorney Michael J. Sullivan said the case should warn consumers that installing programs obtained from people they do not know is like "opening the front door of their house to a stranger."
Prosecutors charged Dinh with securities fraud, mail and wire fraud, and causing damage in connection with unauthorized access to a computer. The fraud counts carry maximum penalties of 20 years in prison, and the computer counts carry a maximum penalty of 10 years. After an initial appearance in a federal court in Philadelphia early yesterday afternoon, Dinh was released on $50,000 bond and was ordered to remain at his Phoenixville, Pa., home until another court proceeding next Wednesday. His federal public defender declined to comment yesterday, and messages left at his home were not answered.
Dinh, a first-year business administration major, lived with his parents in a house with multiple computers and a high-speed Internet connection, sources familiar with the case said.
The trouble began when Dinh paid $10 each for 9,100 "put" option contracts on shares of Cisco Systems Inc. in June 2003, according to the SEC. Each contract guaranteed Dinh the right to sell 100 shares of Cisco stock at $15 apiece, if the price fell to $15 or less by July 19, 2003. Dinh paid $91,200 for the contracts, court papers said. In essence, Dinh was betting that Cisco's stock price would fall, in what prosecutors called a "highly speculative but potentially very lucrative gamble."
By early July, Cisco's stock price was well above $15, which meant Dinh could have lost all of his $91,200 investment. On July 7, Dinh allegedly sent e-mail messages to people in an electronic forum on the Web site StockCharts.com. Using an alias, Dinh asked traders whether they maintained their own Web sites, gathering responses from people including the Massachusetts victim, who responded using a personal e-mail address.
The next day, Dinh allegedly sent another e-mail message to traders who responded to his July 7 inquiry. Using a different alias, Dinh invited the traders to take part in a "beta test" of a new stock analysis tool and provided a link to the software that people could download. In fact, investigators said, that link contained a "Trojan horse" program that enabled Dinh to obtain log-on information and the password of the victim's TD Waterhouse online account.
Such keystroke-surveillance programs, which record what characters are typed, are widely available. Many companies purchase similar programs to keep tabs on what their employees are doing online.
"We've got tons of copies of the Beast. It's a very popular underground program," said Ken Dunham, director of malicious code for iDefense Inc., a Reston-based computer security firm. "It doesn't take a rocket scientist to create and deploy a new Trojan."
The victim downloaded the "tool," but it did not work as advertised, causing his computer to lock up momentarily and making him suspicious, the SEC's Stark said.
On July 11, Dinh used the victim's electronic-trading account to place buy orders for his Cisco options, avoiding about $37,000 in losses, according to court papers. The move, and the accompanying fees, essentially wiped out the victim's account. The victim noticed and within a few days complained to the SEC, agency officials said.
Dinh allegedly used the services of Lockdown Corp., which helps subscribers hide their identities from people who receive their e-mail messages. Lockdown records reviewed by investigators showed that the electronic communications he allegedly sent bounced around the world, from the United States to Australia with stops in Ireland and Germany.
Officials said they were able to unravel the connections within a few weeks, with cooperation from TD Waterhouse, where the victim's account was based, and Cybertrader.com, which housed one of Dinh's accounts.
Dinh traveled to Washington in early August to meet with SEC lawyers, where he invoked his Fifth Amendment right against self-incrimination. But he also turned over two notebooks of information, including e-mail addresses that contained two aliases he had allegedly used to deceive unwitting stock traders, according to court papers.
"It's regrettable that an individual's personal computer was hacked and that information was stolen," TD Waterhouse said in a prepared statement. "The TD Waterhouse system was not compromised and remains safe and secure for our customers."
Computer security experts said the Dinh case reflects no deep problems with the way online banking systems are set up, but rather more mundane vulnerabilities in the habits and practices of individual users of the accounts.
"That's a tweak on this attack that hasn't been done before," Bruce Schneier, founder and chief technology officer of Counterpane Internet Security, said when told of Dinh's alleged scheme. "But if he was smart, it would've been way more devastating."
Susan M. Kuhn, a management consultant in Kensington, said that horror stories about malicious programs and viruses have made her cautious when she uses the Web.
"I just don't take any chances anymore. I'm even reluctant to visit a Web site just to download something. I certainly would never open any file that is unsolicited," she said. "It's damaged the potential of the Internet. With this level of risk out there, the initial promise of freedom on the Internet is just not there, as far as I'm concerned."
Researcher Richard S. Drezen contributed to this report.