Raphael Gray, the Welsh computer attacker who is awaiting sentencing for a
string of online shopping site break-ins, counts Bill Gates among his
victims. But an investigation by InternetNews has revealed that Microsoft’s
chairman is not the only high-profile name among the thousands of credit
card records Gray stole during a hacking spree last year.
Former US President William “Bill” J. Clinton and political commentator and
reformed party candidate Patrick “Pat” J. Buchanan were also among the
names of victims listed in a customer database Gray lifted from
Salesgate.com, a Buffalo, NY-based ecommerce provider.
But then again, so too were “Test Test” and “Beavis Butt” among the 6,000
Salesgate customer records Gray reposted at his own web site and sent to
InternetNews on February 18, 2000.
“Those were tests … when we first tested the order process, we chose
names that would obviously not be the real people so that we would know
they were tests. And so Bill Clinton was one of the names we chose,” said
Chris Keller, the manager of Salesgate.com, which went out of business in
April 2000, one month after Gray was arrested by Welsh police and the FBI
at his home in Clynderwen, Wales.
Similarly, Tim Ward, the operator of another site Gray hit, said that bogus
names sometimes turn up in the customer order records of online merchants.
“From time to time we have had jokes where somebody puts in a funny name
like Ben Dover, or something like that. It happens, but we just ignore it,”
said Ward, the owner of Feelgoodfalls.com, an online pharmacy Gray pilfered
on February 21, 2000.
These admissions raise new doubts about the accuracy of recent reports by
several media outlets, including the London
Times, The Sun, and Wired News,
that Gray had not only obtained Gates’ credit card number from one of his
victim sites but also had ordered “a course of Viagra to be sent to the
tycoon,” as the Times put it.
Gray has not revealed the name of the site from which he obtained the
Microsoft leader’s card number. Spokesperson Jim Desler told InternetNews
Tuesday that the reports about Gates’ credit card and Viagra were “bogus.”
“We have absolutely no knowledge of any incident and have not been
contacted by any law enforcement about this matter. We checked that number
and it’s just not a number that Gates has. The number just doesn’t check
out,” said Desler.
But Rob Rosenberger, operator of the VirusMyths.com site, says many people
will be more inclined to trust the claims of hackers than the denials of
public relations officials.
“But I’m telling you, I’ll believe the PR guy because hackers reflexively
lie. Stories like this get legs because we can see plausibility, but this
is how Internet legends get started,” said Rosenberger, who notes that
programmers often use the names of famous people or characters from movies
or literature as dummy data when they are testing software.
A visit to a mirror
of the site where Gray made his original boast reveals that the credit card
number he claimed was Gates’ is missing digits and does not follow any
algorithm used by credit card companies. The source of the Viagra story
appears to have come from an offhand comment Gray made at another site, a
copy of which is archived here.
Gray’s boasts about Gate’s credit card were first reported as fact last
March by the UK’s Telegraph,
a story that was later picked up by Reuters, which provides news feeds to
media outlets around the world, such as ZDnet.
Gray was to be sentenced on six counts of unauthorized computer access last
Friday, but the judge postponed
sentencing pending medical tests, which are expected to take several weeks.
Gray is free on bail in the meantime. Under Britain’s Computer Misuse Act
of 1990, he faces up to one year in prison for the intrusions, which the
FBI estimated caused damages of $3 million.