10 September 2007, 15:48

P2P identity fraudster busted

Identity fraudster Gregory Kopiloff, who spent a couple of years exploiting peer-to-peer (P2P) networks to search the hard drives of victims he later defrauded online, has been indicted in Seattle on four counts, including two counts of "aggravated identity theft".

Kopiloff apparently made use of lax folder security settings in P2P clients to search for personal identity and banking information over the internet. He then performed extensive credit checks before using his victims' identities to set up online credit card accounts, with which he purchased goods subsequently fenced at 50 cents on the dollar. He appears to have been quite picky: preferentially targeting people with incomes over 150,000 US dollars per year. He is estimated to have extracted around 73,000 US dollars from more than 80 victims in the course of just over two years.

Unusually, the indictment contains quite a lot of technical explanation. It states that Kopiloff specifically used Limewire and Soulseek among other clients, and points out that although some P2P clients allow full drive sharing by default, Limewire at least can be configured to limit access to a designated folder. However various factors such as inattention, inexperience or malware contamination can cause users to expose sensitive information to the P2P client, and thus to other users. The indictment specifically mentions federal income tax returns, student grant applications and credit reports as primary information sources for Kopiloff's scams, which begs the question why such sensitive data is managed so cavalierly by so many of its owners.

Although he may be the first to be caught in the act, P2P monitoring service provider Tiversa has pointed out that their monitors pick up such activity on P2P networks all the time (in fact it is their raison d'être), and conventional firewalls offer no protection, as P2P punches right through them.