iBill loses 17M customer records

[dano <dano () well com>]

<http://www.wired.com/news/technology/0,70356-0.html?tw=wn_index_1>

Porn Billing Leak Exposes Buyers

By Quinn Norton | Also by this reporter
14:15 PM Mar, 08, 2006 EST

Seventeen million customers of the online payment service iBill have 
had their personal information released onto the internet, where it's 
been bought and sold in a black market made up of fraud artists and 
spammers, security experts say.

The stolen data, examined by Wired News, includes names, phone 
numbers, addresses, e-mail addresses and internet IP addresses. Other 
fields in the compromised databases appear to be logins and 
passwords, credit card types and purchase amounts, but credit card 
numbers are not included.

The breach has broad privacy implications for the victims. Until it 
was brought low by legal and financial difficulties, iBill was a top 
credit card processor for adult entertainment websites -- providing 
billing services for such outlets as DominaBDSM and Top-Nude.com.

The transactions documented in the database are dated between 1998 
and 2003, spanning a period at the height of iBill's success.

The company didn't respond to repeated e-mail and telephone inquires 
by Wired News.

Two caches of stolen iBill customer data were discovered separately 
by two security companies while conducting routine research into 
malicious software online.

Southern California-based Secure Science Corporation found the first 
data file containing records on 17 million individuals on a private 
website set up by scammers. The site was part of a so-called 
"phishing" scheme, in which a spamming fraudster poses as a bank or 
online retailer in an attempt to con consumers out of identification 
and financial information.

Secure Science found that data in February 2005, and reported it to 
the FBI's Miami field office, the company says. The FBI declined 
comment.

Last month, Sunbelt Software found an additional list of slightly 
over 1 million individual entries labeled Ibill_1m.txt on a spamming 
website. That list also appeared to date from 2003.

IBill has a troubled history. Founded in 1997 by executives of a 
Florida-based BBS software developer, by 2002 iBill was a big player 
in internet billing, processing approximately $400 million in credit 
card transactions per year, according to SEC filings. The company 
took 15 percent off the top in fees. Todd Dugas, a former inside 
sales representative for iBill, estimates that pornography made up 85 
percent of the business.

But when Atlanta-based InterCept acquired iBill for $120 million in 
2002, it immediately encountered problems. New rules from Visa made 
it more complicated and costly to process adult website transactions, 
and "accounts dropped like flies," says Dugas. Meanwhile MasterCard 
levied $5.85 million in fines against iBill for an unusually high 
volume of "charge backs" -- consumer-disputed charges -- though 
InterCept managed to recoup most of the fine from iBill's previous 
owners.

In September 2004, iBill lost the contract with its upstream credit 
card processor, First Data, which had grown wary of being associated 
with adult content. Website operators relying on iBill for payments 
had to wait months for their checks while First Data held the money 
in escrow. Roger Jacobs, who followed the story of iBill for adult 
industry publications AVN and XBiz, described low morale and a 
hemorrhaging of employees during this period..

Lance James of Secure Science and Adam Thomas of Sunbelt Software 
speculate that the company's troubles may have left them vulnerable 
to information embezzlement: The breach, they say, has all the 
markings of an inside job. The files appear to have been generated by 
exporting an SQL database into a CSV format -- a procedure that would 
be unusually extravagant for a quick, furtive hack-attack. Moreover, 
at 4.5 gigabytes in size, the larger file would have been tough to 
download unnoticed over iBill's internet connection.

Thomas speculates that an employee or other insider may have simply 
walked out of iBill with the transaction records to sell on the data 
black market.

What happened with the records from there is anyone's guess. The 1 
million addresses found by Sunbelt Software were being used for 
spamming. Sunbelt found the database by tracing malware-infected 
computers as they connected to the internet to refresh their list of 
spam targets. The target list turned out to be the iBill database, 
hosted on a rogue website.

Secure Science's James says the 17 million database entries he found 
is prime data for spamming, phishing attacks, pretext phone calls, 
and even possible hacking of vulnerable computers at the IP addresses 
listed.

Independently, Wired News found that entries from the smaller cache 
are listed as mortgage leads on a spammer community site, 
specialham.com. (The website's homepage offered no contact 
information and Wired News was unable to reach the registered owner 
of the domain, one "Juice Wobble.") This suggests that the database 
was marketed as a lead list for outside businesses. "I can attest to 
the fact that this goes on with phishing groups," says James. "They 
break in and steal leads and then sell those leads to (black market) 
leads companies, who resell them to legitimate companies, and 
sometimes the same companies they stole them from."

"The fact that a total of 17,781,462 iBill records have been found in 
the hands of criminal hackers is quite disturbing, be it an inside 
job or the successful work of criminal hackers," says Thomas.

Contacted by Wired News, one of the victims of the breach expressed 
dismay that his information was in the hands of criminals. The 
41-year-old San Diego man says he allowed a "business partner" to use 
his credit card on an adult website dedicated to finding resources in 
Tijuana's red light district, with discussion groups and locations of 
prostitutes.

"Life is difficult enough," says the victim. "It makes the net that 
much less secure in my eyes... I plan to not use any credit card 
information on any site."

The man says that neither iBill nor the FBI notified him of the breach.

Because the information didn't include Social Security, credit card 
or driver's license numbers, no U.S. laws require iBill or the 
companies for which they provided billing to warn victims. A year 
after the FBI first learned of the larger leak, they have also failed 
to issue any public warnings.

In January of last year, iBill was purchased by Interactive Brand 
Development for $23.5 million. On Monday, IBC's stock closed at 8 
cents a share in over-the-counter trading.
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/errata/dataloss/