RealTime IT News

Curador's Victims Included 'Bill J. Clinton'

Raphael Gray, the Welsh computer attacker who is awaiting sentencing for a string of online shopping site break-ins, counts Bill Gates among his victims. But an investigation by InternetNews has revealed that Microsoft's chairman is not the only high-profile name among the thousands of credit card records Gray stole during a hacking spree last year.

Former US President William "Bill" J. Clinton and political commentator and reformed party candidate Patrick "Pat" J. Buchanan were also among the names of victims listed in a customer database Gray lifted from Salesgate.com, a Buffalo, NY-based ecommerce provider.

But then again, so too were "Test Test" and "Beavis Butt" among the 6,000 Salesgate customer records Gray reposted at his own web site and sent to InternetNews on February 18, 2000.

"Those were tests ... when we first tested the order process, we chose names that would obviously not be the real people so that we would know they were tests. And so Bill Clinton was one of the names we chose," said Chris Keller, the manager of Salesgate.com, which went out of business in April 2000, one month after Gray was arrested by Welsh police and the FBI at his home in Clynderwen, Wales.

Similarly, Tim Ward, the operator of another site Gray hit, said that bogus names sometimes turn up in the customer order records of online merchants.

"From time to time we have had jokes where somebody puts in a funny name like Ben Dover, or something like that. It happens, but we just ignore it," said Ward, the owner of Feelgoodfalls.com, an online pharmacy Gray pilfered on February 21, 2000.

These admissions raise new doubts about the accuracy of recent reports by several media outlets, including the London Times, The Sun, and Wired News, that Gray had not only obtained Gates' credit card number from one of his victim sites but also had ordered "a course of Viagra to be sent to the tycoon," as the Times put it.

Gray has not revealed the name of the site from which he obtained the Microsoft leader's card number. Spokesperson Jim Desler told InternetNews Tuesday that the reports about Gates' credit card and Viagra were "bogus."

"We have absolutely no knowledge of any incident and have not been contacted by any law enforcement about this matter. We checked that number and it's just not a number that Gates has. The number just doesn't check out," said Desler.

But Rob Rosenberger, operator of the VirusMyths.com site, says many people will be more inclined to trust the claims of hackers than the denials of public relations officials.

"But I'm telling you, I'll believe the PR guy because hackers reflexively lie. Stories like this get legs because we can see plausibility, but this is how Internet legends get started," said Rosenberger, who notes that programmers often use the names of famous people or characters from movies or literature as dummy data when they are testing software.

A visit to a mirror of the site where Gray made his original boast reveals that the credit card number he claimed was Gates' is missing digits and does not follow any algorithm used by credit card companies. The source of the Viagra story appears to have come from an offhand comment Gray made at another site, a copy of which is archived here.

Gray's boasts about Gate's credit card were first reported as fact last March by the UK's Telegraph, a story that was later picked up by Reuters, which provides news feeds to media outlets around the world, such as ZDnet.

Gray was to be sentenced on six counts of unauthorized computer access last Friday, but the judge postponed sentencing pending medical tests, which are expected to take several weeks. Gray is free on bail in the meantime. Under Britain's Computer Misuse Act of 1990, he faces up to one year in prison for the intrusions, which the FBI estimated caused damages of $3 million.