Since late January, at least eight small e-commerce sites have been hacked exploiting a known security hole in Microsoft software, according to a security investigator and companies and individuals affected by the attacks. The companies were listed on a taunting Web site posted by a hacker named "Curador" claiming credit for the attacks and listing thousands of stolen credit card numbers, sources said. He claims he seized more than 23,000 credit card numbers.
The incidents come amid heightened concern about Web security after other high-profile attacks. In January, several top-tier sites, including Yahoo and eBay, were shut down after being flooded with requests for information in "denial of service" attacks. No customer or company data were stolen in those attacks.
But close to 350,000 credit card numbers were stolen that same month from music site CD Universe and posted online. A hacker going by the name "Maxus" claimed he had the numbers and tried to extort $100,000 from the Web site. The FBI shut down the site where the credit card numbers had been posted.
Executives at wireless phone site Promobility.net and SalesGate.com confirmed the new attacks, as did the company that provided the Web software for LTA Media and Feelgoodfalls.com sites.
A security consultant hired by LTA Media said the first attack targeted a Thai shopping site. Since then, sites in the United States, Canada and the United Kingdom have been hit, said Chris Davis, a Canadian security consultant with Tyger Team who has been retained to investigate the new case.
Law enforcement agencies in several countries are investigating the attack, according to companies who reported the break-ins to Canadian and U.S. officials. Authorities from the U.S. Secret Service, FBI and the Royal Canadian Mounted Police all declined to comment on the case.
The hackers broke in using a security hole in Microsoft's e-commerce Web server software, allowing the download of customer transaction records, several victims said. Curador taunted the victims--and Bill Gates--on his Web site, which was paid for with one of the stolen credit card numbers.
"I would like to thank the nice people at ALL the Sites I Cracked for having left their entire sales database, readable & writeable for any one who bothered to check their site out," Curador wrote on a Web site saved by Davis, who is continuing to investigate the case. "Maybe one day people will set up their sites properly before they start trading because otherwise this won't be the last page I post to the NET," the message read.
"Also Greetz to my friend Bill Gates, I think that any guy who sells Products Like SQL Server, with default world readable permissions can't be all BAD," the message read.
A Microsoft spokeswoman said the company created a patch for the hole in mid-1998 but noticed that customers weren't using it. They have issued additional warnings since then.
"We're still trying to make customers aware that there is a patch," a Microsoft spokesperson said today.
One company that was hacked said it didn't know about the hole until after the attack. The attack on SalesGate was first reported by CNET News.com.
"We're not blaming Microsoft, but that was the point of entry," said Chris Keller, founder of SalesGate, adding that his firm would now switch to a system using competing Linux-based software. The company had not yet determined whether any of the patches available from Microsoft would have prevented the intrusion, he said.
SalesGate, owned by Buffalo, N.Y.-based Internet Management Services, notified customers yesterday that their credit card numbers had been stolen and had been canceled.
"We have also been working closely with the Secret Service in the United States to catch the hacker responsible for breaking into our system," the email read. "His previous attacks have been making headlines across the world."
At one point, Curador apparently used a stolen credit card to register his own domain name--"e-crackerce.com," a play on e-commerce.com--and moved his site to an independent Web hosting company in California. The owner of that stolen credit card, a postal worker in Jacksonville, Fla., said she was surprised to learn this week that her card had been used to register a domain name that was then hosting a list of stolen credit card numbers and the names of the eight Web sites.
"I didn't believe it, but I looked it up, and said 'Son of a biscuit eater, there it is,' " Stacy Yaple said.
The Web hosting company took down the site late Tuesday after being notified of its contents.
Company representatives said their sites were attacked via Microsoft's Internet Information Server software, through a hole known to security consultants as the RDS or remote data service flaw, allowing hackers to download transaction records to their own machines.
Davis speculated that the hacker used an automated software code of his own creation to scan the Web for commerce sites that had the security hole open.
"He's better than some, but not great," Davis said. The intruder did leave some evidence of his identity behind, he and other victims said.
Curador promised in his error-filled Web message that he'd be back: "I have been on vacation so to speek so I would like to apologise to all the sites who had to waite for me to crack them sorry and I will try and keep it 24/7 from now on. =)"