RealTime IT News

Circle Tightens Around Online Credit Card Thief

Law enforcement officials may be closing in on Maxus, the Russian cracker who stole 300,000 credit card numbers from e-tailer CDuniverse last month and dispensed them for free to visitors of his Web site.

Since news of his exploits was made public last weekend, the operator of the Maxus Credit Card Datapipe site has gone underground. But using a guestbook from his site as a guide, hacker trackers at security information site AntiOnline.com said Wednesday that they were able to infiltrate Maxus' ring of associates and trace him right down to a bank account in Latvia.

The man who attempted to extort $100,000 from CDuniverse is Maxim Ivancov, according to AntiOnline founder John Vranesevich. Posing as potential customers for stolen credit cards, AntiOnline staff also claim to have identified Ivancov's right-hand man, Evgenij Fedorov, who uses the hacker handle Diagnoz.

Vranesevich said AntiOnline has likely given the FBI enough additional information to make an arrest -- were Ivancov a U.S. citizen. But knowledgeable observers are doubtful that Russian authorities will cooperate with American law enforcement officials.

Ivancov's recent actions suggest a hot-headed blackmailer suddenly overcome with a fit of generosity toward his fellow crooks. But the emerging profile is of a savvy operator who played the media and other thieves to his advantage.

"He was not a social hacker in for peer recognition. He was in it for the money, and the site and everything else was just a big commercial," Vranesevich said.

The Maxus Credit Card Datapipe existed not to punish CDuniverse for failing to pay up but to serve as a loss-leader for lining up profitable customers, according to Vranesevich. Ivancov apparently generated cash from the stolen cards four ways: by selling them in bulk to trusted partners for $1 each; by reaping kick-backs from resellers; by dealing directly to small-time thieves; and by "liquidating" them into cash using a stolen or phony merchant identification number.

"His bank account could be filled right now. It's just a matter of how fast he puts in the cards," Vranesevich said.

In an e-mail to InternetNews.com Saturday, Maxus said he notified CDuniverse about the security intrusion a month ago. In a statement Monday, CDuniverse confirmed the loss of data and said it had "taken a stand against a new form of online blackmail on behalf of all legitimate e-commerce retailers."

But Tom Arnold, chief technology officer for CyberSource (CYBS), a provider of secure ecommerce services, said he's troubled that CDuniverse was so slow to inform customers about the severity of the breech.

"If you've really been compromised, hiding under the desk is not the action to take. The action is to aggressively communicate with your customers. You have to both salvage the business and make sure customers are protected," Arnold said.

The technique of "carding cash" or ringing up bogus charges to a merchant account is not new, "but the Internet has made it more efficient," according to Arnold. CyberSource recently intercepted an attempt by a man who posted a file with 28,000 credit card numbers to a chat room -- all previously collected as admission fees to a pornography site.

Other "carders" use phony merchant accounts and stolen cards to convert goods to cash. A 16-year-old man in Reno, Nev., who goes by the handle "rebirf," told InternetNews in an interview over Internet relay chat that he makes $2,000 per month ordering online merchandise using stolen card numbers and having it delivered to "drop spots" such as vaca