Circle Tightens Around Online Credit Card Thief

Law enforcement officials may be closing in on Maxus, the Russian cracker who stole 300,000 credit card numbers from e-tailer CDuniverse last month
and dispensed them for free to visitors of his Web site.

Since news of his exploits was made public last weekend, the operator of the Maxus Credit Card Datapipe site has gone underground. But using a guestbook from his site as
a guide, hacker trackers at security information site said
Wednesday that they were able to infiltrate Maxus’ ring of associates and
trace him right down to a bank account in Latvia.

The man who attempted to extort $100,000 from CDuniverse is Maxim Ivancov,
according to AntiOnline founder John Vranesevich. Posing as potential
customers for stolen credit cards, AntiOnline staff also claim to have
identified Ivancov’s right-hand man, Evgenij Fedorov, who uses the hacker handle Diagnoz.

Vranesevich said AntiOnline has likely given the FBI enough additional
information to make an arrest — were Ivancov a U.S. citizen. But
knowledgeable observers are doubtful that Russian authorities will cooperate with American law enforcement officials.

Ivancov’s recent actions suggest a hot-headed blackmailer suddenly overcome
with a fit of generosity toward his fellow crooks. But the emerging profile
is of a savvy operator who played the media and other thieves to his

“He was not a social hacker in for peer recognition. He was in it for the
money, and the site and everything else was just a big commercial,” Vranesevich said.

The Maxus Credit Card Datapipe existed not to punish CDuniverse for failing
to pay up but to serve as a loss-leader for lining up profitable customers,
according to Vranesevich. Ivancov apparently generated cash from the stolen
cards four ways: by selling them in bulk to trusted partners for $1 each; by
reaping kick-backs from resellers; by dealing directly to small-time
thieves; and by “liquidating” them into cash using a stolen or phony
merchant identification number.

“His bank account could be filled right now. It’s just a matter of how fast he puts in the cards,” Vranesevich said.

In an e-mail to Saturday, Maxus said he notified CDuniverse
about the security intrusion a month ago. In a statement Monday, CDuniverse
confirmed the loss of data and said it had “taken a stand against a new form
of online blackmail on behalf of all legitimate e-commerce retailers.”

Tom Arnold, chief technology officer for CyberSource (CYBS), a provider of secure
ecommerce services, said he’s troubled that CDuniverse was so slow to
inform customers about the severity of the breech.

“If you’ve really been compromised, hiding under the desk is not the action
to take. The action is to aggressively communicate with your customers. You
have to both salvage the business and make sure customers are protected,” Arnold said.

The technique of “carding cash” or ringing up bogus charges to a merchant
account is not new, “but the Internet has made it more efficient,” according
to Arnold. CyberSource recently intercepted an attempt by a man who posted a
file with 28,000 credit card numbers to a chat room — all previously
collected as admission fees to a pornography site.

Other “carders” use phony merchant accounts and stolen cards to convert
goods to cash. A 16-year-old man in Reno, Nev., who goes by the handle
“rebirf,” told InternetNews in an interview over Internet relay chat that he
makes $2,000 per month ordering online merchandise using stolen card numbers
and having it delivered to “drop spots” such as vaca

nt houses, after which he pawns it for cash.

Credit card thieves thus pose a double threat to online businesses. While few have their databases pilfered outright as CDuniverse did, many face losses when crooks use stolen card numbers to purchase goods at their sites.

Under their agreement with card issuers, brick-and-mortar merchants which run a physical card through a reader are protected from fraud. But online
merchants operate in what credit companies call a “card not present”
environment, in in which they, and not the card issuer, must eat any fraud
losses. For some online retailers, those losses can be significant — fraud rates can reach 30 percent on digital content such as software, music, and videos, according to CyberSource.

The primary lesson from the CDuniverse debacle, says Ted Julian, director of
marketing for AtStake, a recently launched security consultancy, is that
ecommerce firms must build security into their business strategy at the outset.

“Today’s sites are largely run on new, custom software, and there’s no
question that any major site is rife with security issues. Unfortunately,
security often ends up at odds with ecommerce objectives, and everybody
loses when that’s the case,” Julian said.

News Around the Web