Hackers cash in on e-commerce bug

[InfoSec News <isn () c4i org>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2761859,00.html

By Bob Sullivan
MSNBC 
May 17, 2001 3:46 PM PT

In April, a devastating bug was found in shopping cart software called
"PDG" that exposed all customer records on about 4,000 Web sites. The
FBI issued a public warning directed at the software's customers, but
a small e-commerce Web site named SawyerDesign.com didn't notice.

Within days, computer criminals had a field day, racking up thousands
of dollars of charges on victims cards at gambling sites, buying phone
cards and downloading pricey software. Here's a look at the chaos
caused in people's lives by one simple technology mistake.

"I had a nightmarish situation last month, there were $6,000 in
charges. This month, $2,000. Most at gambling sites, and places like
Firecash.com, cash services," said Hunter Culberson of Tullahoma,
Tenn. "Visa has credited me, but it has been a nightmare. . . . The
bad thing is my wife told me no more Internet purchases from our
house, which is a main vehicle for my shopping. "

The "nightmare" centers around a Kansas City, Mo., sports memorabilia
display company named SawyerDesign.com and e-commerce shopping
software called PDG. In April, PDG Software Inc. revealed that
computer criminals had figured out a way to easily break into its
software and raid customer accounts--the trick was so easy, it
involved discovering only a single URL. The flaw was so severe that
PDG went to the FBI, which issued an alert saying "hackers are
actively exploiting it" and "the vulnerability has already resulted in
compromise and theft of important information, including consumer
data."

But SawyerDesign.com's operators, Regal Plastic Supply, missed the
warning. Within a few days, and up until this weekend, computer
criminals had a field day with the site, raiding its database
liberally. The flaw was fixed after MSNBC.com notified the company.

Assessing blame for the incident is a bit dicey. PDG Software issued a
fix right away. And the company contacted the FBI and sent two e-mails
describing the urgency of the problem to every customer who had
purchased PDG.

But Regal Plastic Supply never received the e-mail because it bought
the software from a reseller. It's also easy to understand how Regal
never noticed the warning on the FBI's National Infrastructure
Protection Center Web site.

And since the company garners only a trickle of transactions from the
sports memorabilia display case site--its main business is real-world
plastic supply--it's not surprising that the firm doesn't have a
full-time system administrator applying patches to the $1,000 shopping
cart software.

That, however, is little comfort to the 100 or so victims of the
Sawyerdesign.com heist, who started seeing charges on their credit
cards starting last month. Nearly all of them had credit cards riddled
with fraud charges, but none of them had any idea how their card
numbers were stolen until contacted by MSNBC.com this weekend.

"I tried to use my credit card and was told it was over max," John
Hagerty said. "I contacted my bank and found that more than $4,000 had
fraudulently been charged on my credit card. I had to contact these
companies to whom the charges were billed, and had them send credits
to my account. I still have a few to clear up."

'We thought we had bought the best available software' Brenn McMillan,
who works in production at Regal Plastic Supply, figures his company
is also a victim.

Sawyerdesign paid $1,000 for software that was flawed and wasn't
alerted to the problem.

"We thought we had been very on top of (the Web site). Well there was
an update a month ago, the FBI was involved and we weren't told," he
said. "We thought we had bought the best available software. We had no
idea the shopping cart was accessible to every (computer criminal)."

PDG President David Snyder did not exactly point the finger back at
Regal, but he did say his firm did everything it could to publicize
the flaw and the need to install a patch.

"We had never had contact with Sawyerdesign before this, since a
reseller sold them the package," he said. "The best we can do is
publicize it...we told resellers they needed to contact their
customers directly."

The victims aren't responsible for the bad charges, and most are now
well on the way to clearing the purchases off their credit. In some
cases, the card-issuing bank noticed the fraud first and actually
called the victim, then took care of the problems in one simple step.
But others must sign and mail sworn statements for each charge they
choose to contest, a laborious process.

Amy Pisani of Ft. Lauderdale, Flor., had run two cards through the
SawyerDesign.com system and both were compromised by computer
criminals. Among the loot taken were a host of telephone cards, a
"significant" purchase at Borders.com and a car stereo. But what
bothers Pisani the most is the hassle.

"They say it takes 60 days to investigate. Meanwhile, I'm still
dealing with affidavits and getting the charges off my card. Frankly,
it's a pain in the butt. And I don't like seeing the charges on my
bills," Pisani said. "I found out about this on May 5 and I'm still
taking care of this, still making phone calls. It's frustrating."

Other victim's stories:

"I first learned of the problem when a merchant (Access Phone) called
me to try to verify that I wanted to set up a long distance phone
account over the Internet. Of course I knew nothing about it. The lady
said that the address listed for the credit card was not the same as
whoever was trying to use it and that sets up a red flag to them.
Thank goodness for that. We had just under $2,000 charged in 2 days
before we caught it," wrote Mark Ainsworth;

"The card was a cash-check card so all the stolen monies, and
$400-plus came out of my account, which of course kicked in my ready
reserve at 15 percent interest...the card has been canceled," wrote
John Calhoun; "I noticed charges on my card about 5 days after he
began his shopping spree. It is very interesting what this person has
been purchasing (calling card minutes, web site domain names, digital
camera). However, the majority of his purchases are from long distance
phone companies," wrote Perry Chappell;

"Two weeks ago, WACHOVIA notified me via snail mail that there was a
possible fraud alert on my card and I immediately snuffed it and have
received another one. Damage control will soon be under way. Thanks to
you, I can now isolate every transaction from the 27th of June till
present and will screen for any bad charges. Still, charges are so
cryptic...and one cannot tell what state the charges originate or even
some of the actual business names in those charges. I will glean over
everything...you can bet on it," wrote Michael R. Brasch.

But even if all the fraudulent charges are cleared from victims'
accounts, flawed e-commerce software and unapplied software patches
can leave a bad taste in customers' mouths and lingering doubts about
what else was taken in the heist.

"Unfortunately, my credit card company had already contacted me in
reference to this situation," wrote Michael Lerner. "My credit card
number was used to make a lot of fraudulent purchases, fortunately, I
won't be held responsible for those purchases. However, I can't help
but be concerned about my other personal information that was exposed;
so often lately I have heard of people's identities being stolen/used.
I guess at this point all we can do is hope that no other damage has
been done."



ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.