jordanian national sentenced to 10 years
for $725,000 fraud scheme
hacked into computer systems to steal identity information
from hundreds of victims
KANSAS CITY, Mo. – Beth Phillips, United States Attorney for the Western District of Missouri, announced that a Jordanian national was sentenced in federal court today for leading a $725,000 fraud scheme in which he hacked into business computer systems to steal the identity information of hundreds of their customers.
“A computer hacker at an Internet café halfway around the world preyed on businesses in the United States and hundreds of their local customers,” Phillips said. “Today’s tough sentence sends a message that we will vigorously prosecute cybercrimes and offenders will be held accountable for their actions.”
Sael Mustafa, 43, of Gladstone, Mo., a citizen of Jordan, was sentenced by U.S. Chief District Judge Fernando J. Gaitan, Jr., to 10 years in federal prison without parole. The court also ordered Mustafa to pay restitution to the victims. Mustafa, a lawful permanent resident of the United States, moved from Jordan to Gladstone in January 2009 and continued to operate the scheme until April 2009.
“This case provides a cautionary tale for unwary Internet users,” Phillips said. “This scheme was successful because hundreds of victims used the same password for each of their online accounts at different Web sites. That was convenient, but it also made them vulnerable to a computer hacker’s extensive fraud scheme. Just as you wouldn’t use the same key for your house and your car, you shouldn’t use the same password for multiple online accounts.”
On Jan. 20, 2010, Mustafa pleaded guilty to aiding and abetting mail fraud. Mustafa admitted that he used stolen credit card information to purchase gift cards from Hy-Vee, Nebraska Furniture Mart and other businesses, which were delivered by mail. Mustafa was able to obtain the stolen credit card information through a computer hacking and identity theft scheme.
According to court documents, Mustafa was the leader of a group of individuals who conspired to steal identity information from hundreds of victims and use that information to make fraudulent purchases. Although the exact number of identity theft victims is unknown, one file fragment recovered from Mustafa’s computer contained the e-mail addresses, passwords and security questions for 654 customers who had set up accounts on one Web site. This file fragment is only a portion of the list.
Mustafa committed a substantial part of the fraud scheme outside the United States. Before moving to Gladstone, Mustafa used the wireless network at an Internet café in Jordan to hack into company Web sites, as well as to use the stolen identity information to access online credit card accounts and to conduct fraudulent transactions.
Court documents describe the computer hacking, identity theft and fraud scheme as follows:
Step One: The Computer Hack
Mustafa illegally accessed the computer servers that hosted the Web sites of several businesses to access customer databases and download the customers’ personal information. Mustafa exploited these businesses for presumably less secure information, such as e-mail addresses, Web site passwords and security questions. This information was usually provided to the business by a customer registering on the Web site for online services such as a company newsletter, making a reservation, buying a gift card, or receiving e-mail coupons.
Step Two: Accessing Credit Card Accounts
Mustafa and his co-conspirators then tried to use this stolen customer information at major credit card Web sites. Mustafa counted on the likelihood that many identity theft victims used the same password for the hacked accounts that they used for their online credit card accounts. Mustafa visited various credit card Web sites and, by trial and error, tested the stolen identity information to see if it matched the login and password information for their credit card account. If a victim had an account at a particular credit card Web site, and if the victim used the same login and password information, Mustafa was able to access their accounts.
Step Three: Using the Victims’ Accounts
After gaining access to victims’ credit card accounts, Mustafa and his co-conspirators purchased more than $240,000 worth of airline tickets (both domestic and international) and more than $30,000 in gift cards online. They also sent, or attempted to send, more than $344,000 in wire transfers and conducted more than $106,000 in other fraudulent online transactions (such as a subscription to the Al-Jazeera Channel).
This case was prosecuted by Assistant U.S. Attorney Matthew P. Wolesky. It was investigated by the U.S. Postal Inspection Service and the Gladstone, Mo., Police Department.