The last member of a US cybercrime trio that netted up to $3m in a Wi-Fi and malware hacking spree has been sentenced.
Joshuah Allen Witt, 35, John Earl Griffin, 36, and Brad Eugene Lowe, 39, have all now been given stiff prison terms. Lowe was give six-and-a-half years, while Witt and Griffin face prison terms of nearly eight years.
Witt was the third to be sentenced on charges that included conspiracy, aggravated identity theft and access-device fraud. All three will also have to pay restitution, which is to be set at another hearing.
The cybercriminals attacked companies both externally, by "wardriving" using vehicles fitted with powerful Wi-Fi receivers and looking for poorly protected corporate Wi-Fi connections, and internally, by breaking in and installing keyloggers on company computers to relay passwords and security codes.
Around 50 local businesses were hit by the cyber gang over nearly two-and-a-half years, according to the Seattle Times.
In some cases, the gang accessed company accounts with other businesses, such as Amazon.com or eBay, and bought expensive items. In other cases, they diverted automatic payroll deposits to newly created bank accounts and loaded the deposits onto debit cards to buy expensive items.
Hack and steal at your own peril, as the consequence is prison time
Prison time for cybercrime
The US Justice Department's Cybercrime and Intellectual Property Enforcement working group said the hefty sentences sent a "strong message to these modern-day bank robbers: Hack and steal at your own peril, as the consequence is prison time".
Head of the working group, Jenny Durkan, commended the businesses that alerted police about the intrusions on their computer systems. "Without their help, law enforcement could not have put this ring out of business," she said.
Wi-Fi security is key
The case illustrates why it is important for businesses to get their Wi-Fi security right, said Paul Ducklin, head of technology Asia-Pacific for security firm Sophos.
In a blog post, he warned that WEP (wired equivalent privacy) encryption, MAC (media access control) address filtering and SSID (service set identifier) hiding will protect businesses from wardriving.
"The security system in WEP is flawed and can easily and automatically be cracked. A wardriver will bypass WEP in 60 seconds – and that includes the time taken to park outside your office and boot up his laptop. Use WPA instead," he wrote.
Ducklin pointed out that MAC addresses are not secret because Wi-Fi networks broadcast the MAC addresses of all currently connected devices.
Similarly, the SSID is the network name, and hiding it merely means the network does not openly advertise itself for use, but it is not secret because the SSID appears in other network traffic.
The case also shows why it is important for businesses to be vigilant after a physical break-in. "Don't just look for what's missing, but what might have been left behind," said Ducklin.
"Cybercrooks who have physical access to your network can install malware on your computers, connect hardware keylogging devices to your keyboards, and even stash rogue wireless access points behind the furniture," he wrote.