A computer criminal claims to have stolen personal information on 46,000 customers from Web hosting company ADDR.com. The data includes account names and passwords that could be used to alter Web site content, as well as credit card information. Several victims of the heist report finding thousands of dollars in fraudulent charges on the credit cards in recent weeks. ADDR.com has so far not commented on the alleged heist.
THE CRIMINAL, CONTACTED by MSNBC.com late Friday, claimed to have broken into ADDR.coms computers and stolen the firms entire customer database. He would only identify himself as a 26-year-old from the Netherlands, but he provided evidence of his claim by e-mailing a slice of the data 50 records to MSNBC.com.
The data appears to be legitimate, and if it is, its likely that whoever grabbed the 50 records from ADDR.com would have been able to obtain the companys entire database.
MSNBC.com attempted to contact each of the 50 customers included in the data provided by the criminal; every one of the 16 who responded verified that the user names, passwords, and credit cards in the records were accurate.
The information was also furnished to ADDR.coms technical support manager Harlane Chase early Monday, but as of late Monday the company had not been able to respond to a request for comment.
CARDS IN CIRCULATION
The credit card data appears to be in circulation in the computer underground. Three of the customers contacted by MSNBC.com said they had recently discovered fraud on their accounts. Reggie Marks of Clayton, Calif., who runs Excav8tor.com, said his bank called a week ago and told him that $3,000 worth of computer hardware and software had been billed to his card. Steve Eisenberg of San Diego, Calif., who operates Thewebcoach.net, said he found $900 in false charges on his card in the past week. Another victim, who asked not to be identified, told MSNBC.com about $2,500 in errant charges caught by her bank.
A fourth victim, Cliff Hanna of Del Mar, Calif., called his bank after being contacted by MSNBC.com and discovered that just late Sunday a fraudulent $500 hotel room charge had been billed to his card.
NOT JUST CREDIT CARDS
The data obtained by the computer criminal would allow more than fraudulent charges. Because it includes account user names and passwords, it also would allow him to change content on many of the sites. In an e-mail interview, he even suggested he could use each sites bandwidth to launch a denial-of-service attack.
There is a mitigating factor, however: the records viewed by MSNBC.com contain only default account passwords handed out to new customers by ADDR.com, according to the customers interviewed. Most had changed their passwords since they opened their accounts, so a criminal with the database would have to crack the new password to break into an account.
ADDR.com is a large Web hosting company which supports nearly 50,000 Web sites across the Internet; most of them are small business pages like fixit4you.com or commoncomputer.com. Its particularly popular because the monthly hosting fee of $7.95 is among the cheapest rates available on the Internet. Some of the customers MSNBC.com contacted defended the company, including one victim of credit card fraud, who said Its not their fault if they didnt know about it. Its the hackers fault.
BBB COMPLAINTS
But others say the company has a track record of being unresponsive. In fact, ADDR.com has an unsatisfactory record according to the Better Business Bureau of San Jose, Calif., where it was once based. Now, the firm is based in Colorado.
According to the Better Business Bureau Web site, our records show a pattern of non-response to consumer complaints brought to its attention by the Bureau.
The problem of database theft on the Internet first garnered worldwide attention last January when a computer criminal stole thousands of card numbers from CDUniverse.com, tried to extort the company, and then posted the numbers on a Web page. Since then, MSNBC.com has reported on numerous credit card heists and some of the methods criminals use to turn stolen data in cash
Experts predict the trend will get worse before it gets better. A study released Friday by GartnerGroup claimed that the economic cost of cybercrime will grow by 1,000 to 10,000 percent by 2004.