A master computer hacker preyed on human nature to steal hundreds of thousands of dollars from unwary Internet users, federal prosecutors in Kansas City say.
They allege that Sael Mustafa took advantage of a common mistake many people make — using the same user name and password on multiple online accounts — to reap huge rewards at the expense of hundreds of victims.
“Some aspects of Mustafa’s scheme were very complex and technical, and required considerable computer expertise, and others were alarmingly simple and provide a cautionary tale for an unwary Internet user,” prosecutors said.
On Monday during a four-hour sentencing hearing in federal court, they outlined the extensive investigation that stretched from Gladstone to the Middle East and involved victims from California to New Jersey.
U.S. District Judge Fernando Gaitan took the case under advisement to do additional legal research about the length of sentence Mustafa, 42, should receive after pleading guilty to aiding and abetting mail fraud.
Prosecutors are seeking a 15-year sentence for Mustafa, who they allege played a significant role in the criminal enterprise that victimized more than 250 people and resulted in the stealing and attempted stealing of more than $700,000.
Mustafa’s attorney is asking for a sentence of approximately two years, arguing in court documents that he was not the organizer of the crime and prosecutors are seeking to have him punished based on the allegations of others who have not been charged yet.
According to court documents and testimony Monday in U.S. District Court, the investigation began in Gladstone when police were contacted by security officials from Hy-Vee about suspicious gift-card purchases. Gladstone police contacted U.S. postal inspectors, who interviewed people who said their credit card information had been used to make purchases they didn’t authorize.
A search warrant was served at an address in Gladstone in April 2009 where some of those gift cards were delivered. Mustafa and two others, identified in court documents as unindicted co-conspirators, were found living there. Investigators seized several computers and other records.
One of those co-conspirators testified Monday that she met Mustafa online in 2006 and he introduced her to the computer hacking scheme. The woman said she made several trips to visit him in Jordan using tickets he obtained fraudulently. There she said she watched him engage in computer hacking from an Internet cafe.
The woman, who agreed to testify despite being told that she is going to be indicted for her role in the crimes, said several other members of her family were involved in the criminal activity, which continued after Mustafa moved into her Gladstone home in January 2009.
According to the case laid out by prosecutors, Mustafa hacked into websites of several businesses, including that of the Capital Grille restaurant chain. He accessed email addresses, passwords and password reminder questions such as “What is your mother’s maiden name?”
Customers had provided that information when they registered on websites for things such as company newsletters, making a reservation, buying a gift card or receiving email coupons.
“This is where Mustafa exploited a weakness common among Internet users,” Assistant U.S. Attorney Matthew Wolesky explained in his outline of the scheme. “Mustafa counted on the human vulnerability that people frequently use the same passwords for multiple accounts.”
Armed with the information, Mustafa then logged onto the websites of major credit card companies and begin testing whether the stolen information matched customer information on those sites.
“Alarmingly, this worked repeatedly,” Wolesky said.
Once access to credit card accounts was gained, it was used to buy gift cards and airline tickets and to make bank wire transfers to accounts in the United States and overseas.
According to their investigation, prosecutors said they found that members of the conspiracy bought or attempted to buy $30,000 worth of gift cards; more than $106,000 in other unauthorized credit card purchases; more than $240,000 in airline tickets; and more than $344,000 in bank wire transfers.
Although prosecutors cited the Capital Grille website as an example, they say Mustafa gained similar access to other business websites.
A Capital Grille spokesman said Monday that the company had always used “extreme caution” in protecting customer information online and as a result of the case has taken additional steps to enhance security.
“I think this is a cautionary tale for all of us,” said spokesman Mike Bernstein.
He noted that customer credit card information is not stored on the company’s website. When the company learned of the situation, the company president personally called the affected customers and apologized, Bernstein said.
Prosecutors said that the company has cooperated with law enforcement during the investigation.
Law enforcement officials say consumers can minimize their vulnerability to such schemes by taking common sense steps to protect their online information.
FBI spokeswoman Bridget Patton said people should be vigilant about changing passwords on a regular basis. They should also use “strong passwords” that include a mix of letters, numbers and punctuation marks, not just something like “123456.”
And as the victims in this case show, people should not use the same passwords for multiple accounts.
“It may make it easier for you, but it also makes it easier for others,” she said.