RealTime IT News

Failed Blackmail Attempt Leads to Credit Card Theft

In what may be the largest credit card heist on the Internet, an 18-year-old Russian cracker claims to have stolen thousands of credit card numbers from an online store and dispensed them to visitors of his Web site.

Before it was taken offline early Sunday morning, the rogue site, a page of which has been captured here, had doled out more than 25,000 stolen card numbers. Also included with the numbers were expiration dates and cardholder names and addresses, according to a counter on the page. With the click of a button, visitors could launch a script that purportedly obtained a valid credit card "directly from the biggest online shop database," according to a message at the site.

The cracker, who goes by the nickname Maxus, claimed in an e-mail to InternetNews.com to have breached the security of CDuniverse.com, an online music store operated by eUniverse, Inc. of Wallingford, Conn. Maxus said he had defeated a popular credit card processing application called ICVerify, from CyberCash (CYCH) and obtained a database containing more than 300,000 customer records from CDuniverse.

As proof of his exploit, Maxus e-mailed a file to InternetNews containing dozens of user names and passwords for accessing customer order status information at CDuniverse.

One of the victims, Greg Wilson of Binghamton, N.Y., confirmed that he had shopped at the online music store over a year ago. According to Wilson, he was contacted by his credit card company's fraud division last week after someone had attempted to make an authorized charge to his card.

Another victim, Charles Vance of Marietta, Ga. said he had purchased CDs from the company in the past, but had recently cancelled the card on file for unrelated personal reasons.

Cybercash officials disputed the hackers report, saying their IC Verify product was not at issue.

"CyberCash's ICVERIFY product is a pc-based payment system, not a Web-enabled product and is not being used by CD Universe on its Web site. Therefore, the credit card information cited in recent coverage could not have come from ICVERIFY.

"Since we're not involved in this, any other questions should be addressed to law enforcement officials or CD Universe, as it is not appropriate to comment further due to the legalities surrounding this issue."

Maxus said that he decided to set up the site, titled Maxus Credit Cards Datapipe, and to give away the stolen customer data after officials at CDuniverse failed to pay him $100,000 to keep quiet about the security hole. Maxus claims the company agreed to the payment last month, but subsequently balked at initiating a wire transfer to a secret bank account because it might be noticed by auditors. After a week passed with no further contact from the company, Maxus said he put up his site and announced its presence Dec. 25th on an Internet Relay Chat group devoted to stolen credit cards.

Soon after launching his site, Maxus said it became so popular with credit card thieves that he had to implement a cap to limit visitors to one stolen card at a time.

The Internet service provider which hosted the Maxus site, Lightrealm Inc., of Kirkland, Wa, took the Maxus site down sometime early Sunday morning. Lightrealm was acquired by Micron Electronics (MUEI) last October.

According to Elias Levy, chief technology officer of Internet security information firm SecurityFocus.com, which first publicized the existence of the Maxus site, the incident "is very disturbing. It realizes the fears people have about online commerce." But Levy pointed out that becaus