The US Securities and Exchange Commission (SEC) has filed charges against Pennsylvania teenager Van Dinh after he allegedly used a Trojan Horse program to hack into a third party online brokerage account and purchase his own expiring stock options.
Dinh is the first person to be prosecuted by the SEC on computer hacking and identity theft charges.
During July 2003 Dinh is alleged to have sent an e-mail inviting users of an online stock discussion forum to test a new stock-charting tool. The tool was in fact a disguised version of keystroke-logging program 'The Beast' that would enable Dinh to monitor remotely the computer activity of any users who had downloaded it.
On 11 July, Dinh allegedly used the programme to access the online TD Waterhouse brokerage account of a Massachusetts investor and placed buy orders for options contracts for Cisco Systems that corresponded to sell orders Dinh previously placed through his own brokerage account.
As a result, the victim unknowingly purchased 7200 Cisco option contracts, at $5 per contract, that expired worthless eight days later. The fraud saved Dinh approximately $37,000 in trading losses.
The SEC says Dinh attempted to conceal his identity through the use of online aliases, multiple e-mail accounts, foreign Internet service providers and anonymising Web sites, but investigators still located him within days of being contacted about the fraud.
Office of Internet Enforcement Chief, John Reed Stark, urged online investors to be extra vigilant: "This case should remind investors using the Internet to review their brokerage statements carefully every month, to check the bona fides of any potential download and to take security measures, such as using an antivirus shield and employing a firewall, in order to avoid computer viruses, worms and other intrusion programmes."
In a related action, Dinh was also charged by the United States Attorney's Office for the District of Massachusetts with securities fraud, mail and wire fraud and with causing damage in connection with unauthorised access to a protected computer.