Partner With Us

Law enforcement officials may be closing in on Maxus, the Russian cracker who stole 300,000 credit card numbers from e-tailer CDuniverse last month and dispensed them for free to visitors of his Web site.

Since news of his exploits was made public last weekend, the operator of the Maxus Credit Card Datapipe site has gone underground. But using a guestbook from his site as a guide, hacker trackers at security information site AntiOnline.com said Wednesday that they were able to infiltrate Maxus' ring of associates and trace him right down to a bank account in Latvia.

The man who attempted to extort $100,000 from CDuniverse is Maxim Ivancov, according to AntiOnline founder John Vranesevich. Posing as potential customers for stolen credit cards, AntiOnline staff also claim to have identified Ivancov's right-hand man, Evgenij Fedorov, who uses the hacker handle Diagnoz.

Vranesevich said AntiOnline has likely given the FBI enough additional information to make an arrest -- were Ivancov a U.S. citizen. But knowledgeable observers are doubtful that Russian authorities will cooperate with American law enforcement officials.

Ivancov's recent actions suggest a hot-headed blackmailer suddenly overcome with a fit of generosity toward his fellow crooks. But the emerging profile is of a savvy operator who played the media and other thieves to his advantage.

"He was not a social hacker in for peer recognition. He was in it for the money, and the site and everything else was just a big commercial," Vranesevich said.

The Maxus Credit Card Datapipe existed not to punish CDuniverse for failing to pay up but to serve as a loss-leader for lining up profitable customers, according to Vranesevich. Ivancov apparently generated cash from the stolen cards four ways: by selling them in bulk to trusted partners for $1 each; by reaping kick-backs from resellers; by dealing directly to small-time thieves; and by "liquidating" them into cash using a stolen or phony merchant identification number.

"His bank account could be filled right now. It's just a matter of how fast he puts in the cards," Vranesevich said.

In an e-mail to InternetNews.com Saturday, Maxus said he notified CDuniverse about the security intrusion a month ago. In a statement Monday, CDuniverse confirmed the loss of data and said it had "taken a stand against a new form of online blackmail on behalf of all legitimate e-commerce retailers."

But Tom Arnold, chief technology officer for CyberSource (CYBS), a provider of secure ecommerce services, said he's troubled that CDuniverse was so slow to inform customers about the severity of the breech.

"If you've really been compromised, hiding under the desk is not the action to take. The action is to aggressively communicate with your customers. You have to both salvage the business and make sure customers are protected," Arnold said.

The technique of "carding cash" or ringing up bogus charges to a merchant account is not new, "but the Internet has made it more efficient," according to Arnold. CyberSource recently intercepted an attempt by a man who posted a file with 28,000 credit card numbers to a chat room -- all previously collected as admission fees to a pornography site.

Other "carders" use phony merchant accounts and stolen cards to convert goods to cash. A 16-year-old man in Reno, Nev., who goes by the handle "rebirf," told InternetNews in an interview over Internet relay chat that he makes $2,000 per month ordering online merchandise using stolen card numbers and having it delivered to "drop spots" such as vacant houses, after which he pawns it for cash.

Credit card thieves thus pose a double threat to online businesses. While few have their databases pilfered outright as CDuniverse did, many face losses when crooks use stolen card numbers to purchase goods at their sites.

Under their agreement with card issuers, brick-and-mortar merchants which run a physical card through a reader are protected from fraud. But online merchants operate in what credit companies call a "card not present" environment, in in which they, and not the card issuer, must eat any fraud losses. For some online retailers, those losses can be significant -- fraud rates can reach 30 percent on digital content such as software, music, and videos, according to CyberSource.

The primary lesson from the CDuniverse debacle, says Ted Julian, director of marketing for AtStake, a recently launched security consultancy, is that ecommerce firms must build security into their business strategy at the outset.

"Today's sites are largely run on new, custom software, and there's no question that any major site is rife with security issues. Unfortunately, security often ends up at odds with ecommerce objectives, and everybody loses when that's the case," Julian said.