RealTime IT News

Hackers Succeed in Breaching Shopping Cart Software

In a show of bravado, several cyber-hackers busted into merchant sites operating shopping cart services supplied by PDG Software, stole information and then sent notes to the store owners boosting of their exploits.

Atlanta-based PDG Software president David Snyder told internetnews.com that an undisclosed number of merchants sites touting his software had been scaled by cyber "rogues."

The company, which first became aware of the problem in the early morning of April 2, said it immediately patched the software and sent out a mass e-mail to the 4,000 Web merchants using its shopping cart package.

Merchants who were sent messages from the cyber thieves brought the matter to PDG Software's attention.

Although Snyder declined to go into detail, pending an FBI investigation, he said the messages sent by the hackers read "we ripped you off, we broke into your site."

Besides generating an immediate e-mail, Snyder notified other system patrons directly affected by phone. He declined to name which merchants had been compromised. However, he noted that there was no "misappropriation of credit cards to his knowledge" at that time. The FBI later informed PDG that the hackers had attempted to read credit card numbers.

Following the security breech, on April 6 the FBI issued an advisory through The National Infrastructure Protection Center (NIPC), which serves as a national cyber warning center, to confirm "the significance of [the] vulnerability."

"Based on ongoing investigations, including information immediately provided to the FBI by PDG Software and numerous victim companies, the NIPC is aware that the vulnerability has already resulted in compromise and theft of important information, including consumer data.

The NIPC emphasizes the recommendation that all computer network systems administrators check relevant systems and consider applying updated patches as necessary, especially for systems related to e-commerce," the warning said.

PDG Software currently uses a Q/A troubleshooting department and employs third party audit firms, including U.K- based Cerebus to safeguard its software.

The five-year old company does business with a mostly-international base of merchants who license its shopping cart software, including sites operating Web distribution centers and auctions.

Snyder claimed none of the merchant sites had dropped his service as a result of the cyber break-in.

"This is the nature of the business," he said, surmising merchant sites understand the risk involved in doing business on the Web.