Bugging the perpetrators

Consumer advocate Brian Livingston recounts how a determined group of bug buyers tracked down a crew of Romanian hackers suspected of running a credit-card scam.

Jan. 12, 2002 3:56 p.m. PT

3 min read

I don't know which would be worse: finding out that my credit-card numbers and those of my friends had been stolen or learning that the business executives and legal authorities that I reported the crimes to weren't going to take any action.

That's the experience facing 10 exotic-pet owners, all who bought products at the same e-commerce sites--and found that their financial data had been intercepted by hackers from Romania.

Each of the online shoppers owns a sugar glider, a small Australian tree-dwelling mammal that looks like a cross between a raccoon and, well, a rat. The animals are illegal to own in California and several other places; they like to claw their owners' faces with razor-sharp talons, and they're almost impossible to house-train.

These traits keep the number of sugar-glider owners fairly small. For this reason, it was highly significant when members of the group, who actively share tips with each other through online message boards, found that their credit cards had been used for unauthorized charges.

"There are not many sugar-glider owners in the United States," says Linda Schuster, a pet owner who's extensively researched the hack-in. "To have ten people out of that show up with their credit cards stolen is weird."

In the wild, sugar gliders eat a diet of bugs and baby birds. Most glider owners don't have a lot of tiny tweeters to feed to their carnivorous companions, so the preferred approach is to order quantities of mealworms and crickets from a few online sources.

That's where the Internet comes in. After numerous messages had flown back and forth among group members, the problem became clear--and it should send up a warning flag for those who depend on e-commerce. Credit-card problems like Schuster's are apparently becoming so common that e-tailers and law enforcement agencies are hard-pressed to investigate individual cases.

The glider owners' credit-card numbers, probably hacked from one of the exotic pet sites the group frequents, had been used to buy prepaid long-distance calling cards from Yahoo, adult-entertainment videos, and bogus PayPal accounts. By tracing shipping records, the group found that some of the videos had been sent to an address in Romania, and an electronic trail of Internet communications led there as well.

Getting someone to do something about the thousands of dollars of theft, however, proved to be another matter.

"No one from the companies I called to report the credit fraud and identity theft has deemed the information or the offense serious enough to warrant their attention," Schuster said. "None have contacted me either with or for additional information."

The pet owners then turned to law enforcement authorities for help. The U.S. Secret Service has federal jurisdiction over credit-card fraud, but Schuster quoted one agent as saying, "Currently the federal agencies are not authorized to investigate offenses with small-cash losses."

Several e-mails I sent to the Romanian address said to belong to the leader of the hacker group went unanswered.

Given the group's dismal experience, several of the glider owners have come up with novel ways to protect themselves in cyberspace:

• One member of the group now cancels all her credit cards and gets new card numbers issued every three months.

• Another member suggests, "Do what I do and just don't have any money left on any of your cards...see what good they do them then."

Schuster still has hope and urges all fraud victims in the United States to contact the FBI's Internet Fraud Complaint Center and the Federal Trade Commission.

Perhaps if enough people report identity theft, she reasons, the authorities will finally start bugging the perpetrators.

A Wired Watchdog update
This is the last installment of Wired Watchdog, an investigative journalism series on e-commerce that began in March 2000. My wife, artist Margie Livingston, was recently awarded a Fulbright Scholarship to conduct a project in Germany, and I'll be writing my next book while shuttling back and forth between the United States and Berlin.

I hope you've enjoyed my coverage of Cityspree, CyberRebate, ICANN, Netpliance, Verisign, and all my other subjects as much as I've enjoyed researching them. Caveat emptor.

Brian Livingston's columns and books are available at SecretsPro.com. Send comments to tips@SecretsPro.com.