Undaunted by U.S. government vows to crack down on those who pilfer credit
card numbers from Web sites, a man going by the name of “Curador” breached
SalesGate.com in the latest of a rash
of cracks made by the hacker who claims he is trying to help
companies by illuminating weaknesses in their security systems.
In his latest attempt about a week ago, Curador lifted 2,000 records,
including credit card numbers and other personal information from SalesGate.
SalesGate is a New York-based marketplace “developed to help small and large businesses sell online in a way that
guarantees the protection of the user’s personal information.” The firm
extends this guarantee on its home page, which may appear as a challenge to
the hacker.
SalesGate co-founder Chris Keller confirmed Thursday that the credit card
numbers were lifted and said “a number of agencies,” including the U.S.
Secret Service “are working to catch” the hacker.
As of Thursday, SalesGate has contacted customers affected by the breach,
cancelling the cards directly with the credit card companies. It also warned
them to beware of unauthorized charges made.
Curador has also admitted to hacking into promobility.net, shoppingthailand.com and LTAmedia.com in recent weeks.
At the time of the shoppingthailand.com breach in which he took 5,000 credit
card numbers, Curador held court on a Web site, thanking Bill Gates for
making “SQL servers with default world readable permissions.”
“Maybe one day people will set up their sites properly before they start
trading because otherwise this won’t be the last page I post to the NET,”
wrote the cracker in a message at his site, which is mirrored here.
Curador’s e-crackerce.com site, where Curador listed the stolen card
numbers, was recently taken down by the hosting company. Last week, the
counter at the site showed that it had been visited more than 500 times,
raising the question whether Curador had given out the address in newsgroups
or IRC channels devoted to stolen credit cards.
Larry Hutchenson is the Webmaster for LTAMedia.com, which Curador cracked
around Feb. 3 and stole about 750 credit cards. While Curador’s
claimed at his site to be “the saint of ecommerce,” Hutchenson said he’s
just a crook.
“It would be one thing if the gentleman had sent an e-mail to me or somebody
else saying that ‘you have a security breach in your area, you can do
this’ — I mean the guy used outrageous stuff to get in,” said Hutchenson.
“If he had sent that stuff to me it would be one thing. If somebody takes
information that is stored on the site, and it has been entrusted on that
site and they steal that information and use it, post it, or whatever, it is
stealing.”
Tyger Team Consultants was the first
to notify LTAMedia about the break-in. Tyger’s Chris Davis, who is
investigating Curador’s activities, refuses to believe that Curador’s
actions are benevolent. He said the hacks were made on systems with IIS and
NT servers, which are not known to provide excellent security. Furthermore,
after conducting an audit, he discovered Curador had installed a “back door”
program in which he could return to manipulate the site in the future.
“They (sites) may be vulnerable due to outside administrators that doesn’t
maybe understand all of the security implications that come with IIS and NT,
which there are several right out of the box,” said Davis. “Why are you
adding to their vulnerabilities then? They secure their boxes to the best of
their ability, this kid breaks in to show that they’re not secure and he
backdoors them so that he can get back in whenever he wants and
no one will
know about? And then he’s using their credit card numbers? It doesn’t jive.”
In a Feb. 3 interview with InternetNews Radio, Curador said his
hacker name means “custodian” and that his actions come out of “delusions of
grandeur” based on the 1997 film “The Saint” in which a thief steals jewels,
but then helps people.
When asked if he thought he would get caught, Curador, who many say has not
adequately covered his tracks, tried to be realistic.
“Everybody gets caught sooner or later,” he said. “I don’t think what I am
doing is technically illegal. I am publishing numbers that are public
property on sites — I am not selling them to people.”
Curador said he is trying to show that a well-known RDS bug on Microsoft’s (MSFT)
NT servers is easily manipulated to control an entire server. Experts say
RDS may affect as much as 80 percent of those companies running Windows NT
servers.
The electronic assault is also the latest in a rash of hacks made in the
last two months on companies as large as eBay Inc. (EBAY)
and as small as CDuniverse, a Wallingford-based firm who had more than
300,000 credit card numbers taken by a self-described 18-year-old hacker
named “Maxus” last January.
Secret Service officials were trying to link attacks on other major
companies such as Datek, Amazon.com Amazon.com Inc. (AMZN)
and Yahoo! Inc. (YHOO).