FBI investigating widespread Web site break-ins by crime groups

[InfoSec News <isn () C4I ORG>]

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO58414,00.html

By DAN VERTON
March 08, 2001

The FBI today disclosed it has launched 40 separate investigations
into alleged hacking incidents by Eastern European organized crime
groups that are believed to have stolen more than 1 million credit
card numbers from e-commerce and online finance Web sites powered by
Windows NT servers.

A spokeswoman for the FBI's National Infrastructure Protection Center
(NIPC) said the break-ins have occurred in 20 U.S. states and are
thought to be part of a systematic effort by crime syndicates in
Russia and Ukraine to break into vulnerable Web servers. Estimated
financial losses since the NIPC issued an initial warning about the
threat in December total as much as hundreds of thousands of dollars,
she said.

But the figure could be much higher, the spokeswoman added, saying
that the NIPC hasn't been able to determine an exact damages amount.
The agency, which is based at FBI headquarters in Washington, today
released a new advisory saying that the hacking activities are
continuing and reiterating a recommendation that systems
administrators should check their NT-based servers to make sure
patches designed to fix several known security holes have been
installed.

To date, the NIPC spokeswoman said, e-commerce sites across the
country have failed to heed the warnings about the holes in Microsoft
Corp.'s operating system software. She described the new advisory as
"a public service announcement" meant to urge companies to bolster the
security of their Web sites by downloading the patches made available
by Microsoft.

"These [organized crime] groups have hit on these sites using known
vulnerabilities for months now, and people are not heeding the
warnings," the spokeswoman said. Microsoft discovered and patched many
of the vulnerabilities in NT as early as 1998. But until companies
take the appropriate steps, she added, the attacks are "not going to
stop."

The crime syndicates are targeting customer data, specifically credit
card information, according to the FBI. In many cases, today's
advisory said, the attacks go on for several months before the company
being hit discovers the intrusion.

After the attackers steal the data from a Web site, they often contact
the victimized company by fax, e-mail or telephone and make a veiled
extortion threat by offering Internet-based security services that
would protect the targeted server from other attackers.

Federal investigators said they also believe that in some instances,
the credit card information is being sold to other organized crime
groups. The NIPC's advisories about the attacks list the
vulnerabilities that are being exploited and provide links to
bulletins issued by Microsoft about the relevant patches.

Chris Rouland, director of the X-Force vulnerability research unit at
Internet Security Systems Inc. in Atlanta, said a lot of malicious
hacking activity is originating in Eastern Europe, including widescale
probing of Web servers. "Anything that gets plugged in [to the
Internet] gets probed," Rouland said. "It's not a question of if, but
when."

The SANS Institute, a Bethesda, Md.-based research organization for
systems administrators and security managers, today released an alert
about the FBI's ongoing investigations that called the hacking
incidents "the largest criminal Internet attack to date."

The alert added that the SANS-affiliated Center for Internet Security
plans "within a day or two" to release a software tool that can be
used to check NT servers for the vulnerabilities and to look for files
found by the FBI on many compromised systems. The center's tools are
usually limited to its members, but SANS said this one will be made
available on a widespread basis "because of the importance of this
problem."

The NIPC wouldn't identify any of the Web sites that have been hit by
attacks. But in December, Creditcards.com -- a Los Angeles-based
company that has since changed its name to iPayment Technologies Inc.
-- confirmed that about 55,000 credit-card numbers had been stolen
from its Web site (see story). More than 25,000 of the numbers were
exposed on the Internet after the company ignored a $100,000 extortion
attempt believed to have come from a Russian hacker.

Earlier this week, Bibliofind.com, an online marketplace for rare and
hard-to-find books that's owned by Amazon.com Inc., disclosed that a
malicious hacker had compromised the security of credit-card data for
about 98,000 users of its Web site. The intrusions began in October
and weren't discovered until last month, according to Waltham,
Mass.-based Bibliofind (see story).

Egghead.com Inc. in Menlo Park, Calif., also was hit by an intrusion
late last year. The online technology retailer's CEO said in January
that an internal investigation showed no customer data had been
compromised. But some Egghead users claimed their credit-card numbers
had in fact been stolen, with one saying her card was debited for a
charge to a fraudulent Web site in Russia

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".