Rebuffed Internet extortionist posts stolen credit card data

January 10, 2000

CNN

http://archives.cnn.com/2000/TECH/computing/01/10/credit.card.crack.2/



NEW YORK (CNN) -- An anonymous computer hacker stole credit card numbers from an Internet music retailer and posted them on a Web site after an attempt to extort money from the company failed.

The retailer, CD Universe, brought in Internet security specialists Monday to shore up its Web site, as the FBI tried to track down the hacker and customers contacted credit card companies to see if their cards were compromised.

The unknown hacker claimed to have stolen 300,000 credit card numbers from CD Universe and distributed up to 25,000 of them on a Web site after the retailer refused to pay a $100,000 ransom, according to The New York Times.

The computer intruder claimed in e-mails to the Times that he used some of the credit card numbers to obtain money for himself.

The hacker, thought to be based in Russia, used a Web site to distribute the stolen numbers for two weeks to thousands of other people, said Elias Levy of SecurityFocus.com, a computer security firm. The hacker's site was shut down Sunday morning.

The parent company of CD Universe, eUniverse of Wallingford, had not yet determined how the Web site was compromised or how many customers may have been affected.

"There's no way to tell. It's not a good situation," said Brett Brewer, a vice president of eUniverse. Brewer said that as an emergency measure, eUniverse was able to cancel customers' credit card numbers that had been stolen and was notifying those cardholders by e-mail. He said the credit card companies would automatically give those customers new cards.

CD Universe and eUniverse were working with the FBI to track the hacker. But a lack of international laws that deal with Internet crime could hinder their efforts.

"The Internet creates a whole new class of criminal," Levy told the Times. "On the Internet you can have criminals coming from countries where we have no extradition treaties. How do you prosecute these people, or even investigate their crimes?"

The hacker, identifying himself as Maxim, a 19-year-old Russian, in an e-mail to the Times, said he exploited a security flaw in the software used to protect financial information at CD Universe's Web site. He said he sent a fax to the company last month offering to destroy his credit card files in exchange for the ransom.

When he was rebuffed, he said, he began posting the numbers on a Web site called Maxus Credit Card Pipeline on December 25. The hacker e-mailed the Times the numbers for 198 credit cards as proof of the theft.

With a single mouse click, a visitor could obtain a credit card number, name and address that the site claimed was obtained "directly from the biggest online shop database."

The numbers were real, said the Times, which contacted the credit card owners. At least one owner confirmed she had been a CD Universe customer.

Maxus wrote in an e-mail that he has participated in illegal credit card activities since 1997. He indicated in an earlier message that he had attempted to start a legal Internet business involving credit card processing, but discovered he could subvert infiltrate credit card verification software often used by e-commerce companies.

"Pay me $100,000 and I'll fix your bugs and forget about your shop forever," the electronic extortionist reportedly warned CD Universe in a fax. "Or I'll sell your cards and tell about this incedent (sic) in the news."

The credit card pipeline included a guest book for visitors, many of whom complained that posted credit card numbers had been declined. They urged Maxum to provide fresh ones.

"If you visit the guest book you will find a number of criminal types talking about buying and selling the credit cards. This is very disturbing. It realizes the fear people have about online commerce," Levy said.

Since credit card users are generally liable for no more than $50 for fraudulent use of their cards, "the real danger here is for the credit card companies and merchants that must deal with this fraud," he added.

Like many online retailers, CD Universe rode a burgeoning interest in online shopping at Christmas to bust open sales projections for music, movies, videos and games. CD Universe's sales were $9.1 million last year and are projected to rise to $16 million this year, Brewer said.


main page ATTRITION feedback