The United States Attorney’s Office for the Northern District of California announced that Alec Scott Papierniak, 20, of Mankato, Minnesota, pleaded guilty on February 3, 2004, in federal court in San Jose, to one count of Wire Fraud.
According to the Plea Agreement, from approximately January 2002 through September 2003, Mr. Papierniak falsely and fraudulently obtained user names and passwords for Paypal accounts, allowing him to “hijack” those accounts and engage in fraudulent purchases and transfers of funds. Mr. Papierniak created and used fake, or “spoofed,” PayPal webpages, which appeared to be valid PayPal webpages, but in reality were false and fraudulent, and which requested PayPal users to log on and enter their user names and passwords. Mr. Papierniak then e-mailed messages that appeared to be from PayPal directing the recipients to connect to a linked webpage. Upon clicking on the webpage link, the recipient would be connected, not to the legitimate PayPal website, but to the above-described spoof site created and maintained by Mr. Papierniak. This spoof site was virtually identical in appearance to the valid PayPal site, and directed the individual to login with a user name and password. Mr. Papierniak set up the spoof site to incorporate a “back-end email account,” which, upon the victim logging on, would secretly email the victim’s user name and password to an email account controlled by Mr. Papierniak. In this way, Mr. Papierniak was able to obtain the user names and passwords for PayPal accounts without the owner’s permission or knowledge.
In pleading guilty, Mr. Papierniak also admitted to e-mailing a “key logger” virus to PayPal users, purporting to originate from a legitimate PayPal email address, by e-mailing a slightly modified version of a legitimate PayPal email, stating that the victim/recipient needed to install a security update in order to access PayPal. The email would appear to come from PayPal and would contain a file titled “Fraudbuster,” or “Account Manager,” both PayPal administrative file names. Once their computers were infected with the virus, the victims’ keystrokes were captured and sent to Mr. Papierniak at an account he had created on his website. Mr. Papierniak could determine the passwords for the PayPal accounts by reviewing the fraudulently captured keystroke logs.
Once Mr. Papierniak had fraudulently obtained the user names and passwords for the PayPal accounts, he would transfer funds from the hijacked accounts to his own use.
Mr. Papierniak’s sentencing is scheduled for May 10, 2004 at 1:30 p.m. before U.S. District Court Judge James Ware in San Jose. The maximum statutory penalty he faces is 20 years imprisonment and a fine of $250,000. However, the actual sentence will be dictated by the Federal Sentencing Guidelines, which take into account a number of factors, and will be imposed in the discretion of the Court.
The prosecution is the result of an investigation by agents of the Federal Bureau of Investigation (FBI). The investigation was overseen by the Computer Hacking and Intellectual Property (CHIP) Unit of the U.S. Attorney’s Office. Matt Parrella is the Assistant U.S. Attorney who is prosecuting the case.