July 8, 2007
Busting Internet Fraud That Sends Four to San Quentin
By Elise Ackerman, San Jose Mercury News, Calif.
Jul. 8--Veteran San Jose detective Mike Niehoff's dogged persistence has been the undoing of criminal street gangs and Internet frauds.
The case involved a small criminal crew that took advantage of three of the Silicon Valley's most trusted brands -- Craigslist, eBay and PayPal -- to steal tens of thousands of dollars from Bay Area residents by the dozen.
Internet crimes are tough to solve. The perpetrators are usually anonymous, eyewitnesses are non-existent, and electronic evidence can quickly dissolve into useless bits and bytes.
But this case was different. In just five months, Niehoff was able to piece together the pixels into a solid case that led to the convictions of brothers Alvin Ma, 23, and Calvin Ma, 21, both of Daly City, and two other members of the ring.
The story of their crimes, arrest and conviction shines a light into a dark corner of the Web where stolen identities are traded and pilfered goods are sold by seemingly law-abiding citizens living in well-to-do neighborhoods.
It also shows how a single tech-savvy detective was able to take the technology used by criminals and turn it against them.
Computer on Craigslist The case started with a report of a computer stolen in Oakland on Dec. 15, 2005.
At first glance there was nothing particularly unusual about the theft. The Apple PowerBook had been listed for sale on Craigslist by Darin Petersen, 33. Petersen, of Oakland, got an offer to buy it from a San Jose woman calling herself "Henrietta Johnson." She transferred $1,315 to Petersen's PayPal account and sent "her husband," an Asian man, to pick up the laptop.
Two weeks later, Petersen noticed the PayPal payment had been canceled.
Little did he know, but Petersen had just become a victim of the most common form of online fraud. In 2006, the Internet Crime Complaint Center logged more than 90,000 such fraud complaints -- about 45 percent of all Internet crimes reported to the tracking organization.
The Oakland police told Petersen there was nothing they could do. But Petersen didn't give up. He got in his car and drove to Johnson's address in San Jose. After knocking on her door, he learned that the middle-age woman had not been using her PayPal account. Someone else had.
Petersen made another report, this time with the San Jose police, and it ended up on Niehoff's desk.
Veteran crime-fighter By then, Niehoff had spent almost 21 years on the force, including two tours of duty in the high-tech crimes unit. Tall and lean, Niehoff's unassuming attitude gives no hint of an action-packed career that has included everything from dismantling a highly sophisticated financial fraud involving Silicon Valley chip giants to busting up criminal street gangs.
Something about the Asian man showing up in Petersen's Lake Merritt neighborhood bothered him. "It didn't smell right," he would later recall.
Niehoff decided to "dust" for digital fingerprints.
Internet thieves don't leave behind physical evidence. But they do create digital trails. Indeed, everyone who uses the Internet leaves a unique electronic mark on every Web site they visit. Called an IP address, this string of numbers identifies a particular personal computer to a Web server. Depending on the Web site, an IP address can be stored for a few months or forever. IP addresses are also hidden in e-mails.
Petersen knew enough about computers to provide Niehoff with the IP addresses used by the thief who had posed as Henrietta Johnson. Niehoff studied the numbers: 184.108.40.206 and 220.127.116.11. On their own they didn't tell him much. He needed more information from SBC, the Internet provider involved, to match them with a real person.
Niehoff got a search warrant from a Superior Court judge on Jan. 30, 2006, and sent it off to SBC. Meanwhile, he kept digging.
He learned that the credit card used for the PayPal transaction for Petersen's computer had been lifted from a retired nurse living in San Carlos. When contacted by the Mercury News, the nurse asked that her name not be used for fear her identity would be stolen yet again. She said she found $4,000 in PayPal-related charges for an account owned by someone called "Twnkletoe" after she returned home after the Christmas holidays.
"I called the bank immediately," the nurse said. "I was lucky, because I had fraud protection." Since then, she's been afraid to use her computer. "I thought, my gosh, the Internet did it," she said.
'Honors students' Niehoff received a fax from SBC on Feb. 8, 2006. The IP addresses belonged to a 49-year-old man named Greson Ma who lived at 766 Beechwood Drive in Daly City. It was a nice neighborhood with ocean views. Homes there sold for more than $600,000.
The Daly City police knew Ma's address well. Three and a half years earlier, they had arrested his eldest sons -- Alvin and Calvin -- for using stolen credit cards to buy stuff on the Internet. Greson Ma was not charged in that case.
Daly City police detective Joseph Bocci caught the brothers in October 2002 as they were picking up a $1,900 minibike they had ordered from an Internet retailer with a stolen credit card. When confronted by the detective, Alvin politely explained he had gotten the credit card number from someone he met in an Internet chat room.
Then in their late teens, the brothers were unlikely criminals, Bocci recalled. They were mild-mannered and respectful. They looked like "honors students," he said.
Their criminal scheme was similarly clean-cut: They stole identities, bought stuff online and resold it.
The brothers were convicted of grand theft and placed on probation in 2005. However, little changed in their daily lives.
Calvin Ma graduated from Westmoor High School and joined his brother at the College of San Mateo. The brothers took turns watching a younger brother after school. They worked at Circuit City in Daly City.
Alvin organized an Asian-American beauty pageant in San Francisco with support from See's Candies and the Oakland Vietnamese Chamber of Commerce. The videos of Alvin Ma's girlfriend, Linda Phung,being named Miss National Asia in the summer of 2006 are posted on YouTube.
From outward appearances, no one would have guessed Alvin and Calvin were living a double life as digital gangsters.
Niehoff served a search warrant on the Ma home on Feb. 14, 2006. The two-story house was painted pink and protected by a locked security gate. Neither Alvin nor Calvin was home when the detective arrived, but there was a Dell computer in the living room. Niehoff took it and gave Greson Ma a receipt.
Back in San Jose, Niehoff quickly found a folder on the computer containing e-mails written by Twnkletoe. He also found logs of Internet chats. In stored instant-message conversations, Alvin Ma bragged of using stolen credit cards to buy things on Craigslist and eBay.
Ma boasted how he used a free software program called "Dark Mailer" to create e-mails with fake headers that appeared to be from AOL or PayPal. This practice is called phishing, and security experts say it represents one of the most serious threats to consumers' safety on the Internet today.
Phishing for passwords "It's quite easy to make up an e-mail that looks just like it's coming from a legitimate company," said Robert Chestnut, eBay's global head of trust and safety. "Everybody gets these phishing e-mails with the eBay logo and PayPal logo, the Bank of America logo, the Amazon Logo. . . . They send them to me at eBay."
Phishing e-mails contain a link to Web sites created by fraudsters that are designed to trick victims into entering their passwords. The fraudsters then use the passwords to break into accounts in order to steal identities or money.
Phishing is one of the fastest growing forms of electronic fraud. According to the Anti-Phishing Working Group, the number of phishing Web sites grew to more than 55,600 by April 2007 -- a 60 percent increase over the previous year.
Niehoff found a template for the phishing Web site "AOL.com Billing Central" on Ma's computer, along with more than 20,000 AOL e-mail addresses.
Niehoff's investigation was clearly just beginning.
PayPal was particularly helpful, he said, and assigned a company investigator to the case to help identify additional victims. Niehoff spent the next few months contacting more than three dozen victims.
As Niehoff's collection of cell phone and e-mail records grew, so did the evidence against the crew. Along with computers, they had bought and sold more than $50,000 worth of Xboxes and Rolexes. Niehoff found the Gmail account that had been used to collect passwords entered into the phishing Web site, and the PayPal accounts the group had used to resell stolen machines on eBay.
Victim snaps photo One of the victims -- who by coincidence was also an eBay employee -- provided Niehoff with a photo he had snapped of Kevin Lum, 26, one of the four members of the ring, with his cell phone, after Lum picked up an Apple PowerBook the employee had listed for sale on Craigslist on Jan. 11, 2006. Lum and the fourth member, Frank Lin, 22, are from San Francisco.
The Santa Clara County District Attorney's Office filed charges of computer intrusion, grand theft and identity theft against all four members of the crew at the end of July. By the end of November all four had struck plea bargains. Niehoff estimated they made off with $60,000 to $75,000 in this case.
"It was a very strong case," said Deputy District Attorney Thomas Flattery.
Now in jail in San Quentin, the Ma brothers did not respond to requests to speak with a Mercury News reporter. Their mother and brother declined to speak with a reporter who knocked on the door of their home on Beechwood Drive. None of the four defense attorneys would return phone calls.
In a letter to the judge written on April 27, 2007, Alvin Ma insisted he was "not a bad individual or just any repeating offender." Though he acknowledged he had pleaded guilty to 40 counts of felonies, he asked the judge for a chance to turn his life around.
"I feel like I lost my future," he wrote. "But I completely understand I did this to myself."
To see more of the San Jose Mercury News, or to subscribe to the newspaper, go to http://www.mercurynews.com.
Copyright (c) 2007, San Jose Mercury News, Calif.
Distributed by McClatchy-Tribune Information Services.
For reprints, email [email protected], call 800-374-7985 or 847-635-6550, send a fax to 847-635-6968, or write to The Permissions Group Inc., 1247 Milwaukee Ave., Suite 303, Glenview, IL 60025, USA.
NASDAQ-NMS:EBAY, NYSE:CC, NASDAQ-NMS:DELL, NYSE:TWX, NYSE:BAC,