From: InfoSec News (isnC4I.ORG)
Date: Wed Apr 04 2001 - 19:44:02 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.msnbc.com/news/553615.asp

By Bob Sullivan
MSNBC
April 2, 2001

A computer criminal claims to have stolen personal information on
46,000 customers from Web hosting company ADDR.com. The data includes
account names and passwords that could be used to alter Web site
content, as well as credit card information. Several victims of the
heist report finding thousands of dollars in fraudulent charges on the
credit cards in recent weeks. ADDR.com has so far not commented on the
alleged heist.

THE CRIMINAL, CONTACTED by MSNBC.com late Friday, claimed to have
broken into ADDR.coms computers and stolen the firms entire customer
database. He would only identify himself as a 26-year-old from the
Netherlands, but he provided evidence of his claim by e-mailing a
slice of the data 50 records to MSNBC.com.

The data appears to be legitimate, and if it is, its likely that
whoever grabbed the 50 records from ADDR.com would have been able to
obtain the companys entire database.

MSNBC.com attempted to contact each of the 50 customers included in
the data provided by the criminal; every one of the 16 who responded
verified that the user names, passwords, and credit cards in the
records were accurate.

The information was also furnished to ADDR.coms technical support
manager Harlane Chase early Monday, but as of late Monday the company
had not been able to respond to a request for comment.

CARDS IN CIRCULATION

The credit card data appears to be in circulation in the computer
underground. Three of the customers contacted by MSNBC.com said they
had recently discovered fraud on their accounts. Reggie Marks of
Clayton, Calif., who runs Excav8tor.com, said his bank called a week
ago and told him that $3,000 worth of computer hardware and software
had been billed to his card. Steve Eisenberg of San Diego, Calif., who
operates Thewebcoach.net, said he found $900 in false charges on his
card in the past week. Another victim, who asked not to be identified,
told MSNBC.com about $2,500 in errant charges caught by her bank.

A fourth victim, Cliff Hanna of Del Mar, Calif., called his bank after
being contacted by MSNBC.com and discovered that just late Sunday a
fraudulent $500 hotel room charge had been billed to his card.

NOT JUST CREDIT CARDS

The data obtained by the computer criminal would allow more than
fraudulent charges. Because it includes account user names and
passwords, it also would allow him to change content on many of the
sites. In an e-mail interview, he even suggested he could use each
sites bandwidth to launch a denial-of-service attack.

There is a mitigating factor, however: the records viewed by MSNBC.com
contain only default account passwords handed out to new customers by
ADDR.com, according to the customers interviewed. Most had changed
their passwords since they opened their accounts, so a criminal with
the database would have to crack the new password to break into an
account.

ADDR.com is a large Web hosting company which supports nearly 50,000
Web sites across the Internet; most of them are small business pages
like fixit4you.com or commoncomputer.com. Its particularly popular
because the monthly hosting fee of $7.95 is among the cheapest rates
available on the Internet. Some of the customers MSNBC.com contacted
defended the company, including one victim of credit card fraud, who
said Its not their fault if they didnt know about it. Its the hackers
fault.

BBB COMPLAINTS

But others say the company has a track record of being unresponsive.
In fact, ADDR.com has an unsatisfactory record according to the Better
Business Bureau of San Jose, Calif., where it was once based. Now, the
firm is based in Colorado.

According to the Better Business Bureau Web site, our records show a
pattern of non-response to consumer complaints brought to its
attention by the Bureau.

The problem of database theft on the Internet first garnered worldwide
attention last January when a computer criminal stole thousands of
card numbers from CDUniverse.com, tried to extort the company, and
then posted the numbers on a Web page. Since then, MSNBC.com has
reported on numerous credit card heists and some of the methods
criminals use to turn stolen data in cash

Experts predict the trend will get worse before it gets better. A
study released Friday by GartnerGroup claimed that the economic cost
of cybercrime will grow by 1,000 to 10,000 percent by 2004.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]