Credit-card numbers stolen via known security hole

From...

March 13, 2000
Web posted at: 8:14 a.m. EST (1314 GMT)

by Ann Harrison

(IDG) -- A 2-year-old security hole in Microsoft Corporation's Internet Information Server (IIS) software let a computer cracker download thousands of credit-card numbers from e-commerce sites recently and post them on the Internet.

A patch for that hole has been available for 18 months. But webmasters at small companies say they don't have the resources to keep up with all of the patches needed to keep out malicious hackers, also known as crackers.

	MESSAGE BOARD
Insurgency

"In a lot of companies, you have one system/admin guy who goes around and fixes computers, and you can't keep up to date with all the patches," said Eric Geiler, a principal at Promobility Inc. in Markham, Ontario. The wireless phone seller had 50,000 to 70,000 credit-card numbers downloaded from Web sites it runs.

Geiler said the credit-card numbers, which include his personal credit card, were stolen along with customer names, addresses and phone numbers.

The cracker, who calls himself Curador, has exploited the IIS hole to steal credit-card numbers from several e-commerce sites.

Chris Davis, a partner at Tyger Team Consultants Ltd., an Ottawa-based security firm, said other victims included:

SalesGate.com, owned by Buffalo, N.Y.-based Internet Management Services Inc.

LTA Media LLC in Knoxville, Tenn.

Feelgoodfalls.com, a health site owned by Raleigh Professional Pharmacy in Denver.

Davis said Curador is being pursued by investigators in Canada, the U.S., the U.K. and Thailand, where authorities are looking into a breach at the Shoppingthailand.com site.

MORE COMPUTING INTELLIGENCE

IDG.net home page

Computerworld's home page

Is a new Internet architecture needed?

Computerworld's online subscription center

IDG.net's product reviews page

Reviews & in-depth info at IDG.net

E-BusinessWorld

Year 2000 World

Questions about computers? Let IDG.net's editors help you

Subscribe to IDG.net's free daily newsletter for IT leaders

Search IDG.net in 12 languages

News Radio

Fusion audio primers

Computerworld Minute

Geiler said he delivered evidence of the theft to Royal Canadian Mounted Police investigators ÷ who are still pursuing the case ÷ and he's pressing charges of trespassing, fraud and vandalism.

But Geiler said he's still puzzled as to why Curador targeted Promobility's Web site. "How the hell did he even find us? We are nobody. Why did he pick us?" Geiler wondered.

A Microsoft spokeswoman said the company created a patch for the hole in July 1998 and reissued the warning in July 1999, when it became clear that users weren't installing it.

"Microsoft takes this very seriously, because even after a bulletin is issued, Microsoft looks poorly" if the security gap remains, the spokeswoman said.

Promobility's Geiler said many small e-commerce sites neglect security. "The biggest flaw you can have is to go into business undercapitalized. And one of the biggest traps you can fall into is not to fund your IT security," he said.

Administration report on fighting Internet crime wins broad industry support
March 9, 2000
Net crime does pay for cops
February 24, 2000
Did your server help the cybervandals?
February 15, 2000
The denial-of-service aftermath
February 14, 2000
Classic Hackers Decry Heavy-Handed Upstarts
February 9, 2000

Is a new Internet architecture needed?
(Network World Fusion)
Cyberdefense alarms ring on Capitol Hill
(FCW)
Exodus offers new security services for dot-coms
(IDG.net)
Justice Dept. seeks expanded powers to track hackers
(Computerworld)
Windows PCs become tools for DoS attacks
(IDG.net)
Web sites consider hacker insurance
(PC World)
Asleep at the security wheel?
(FCW)
Users feel aftershocks of Web attacks
(PC World)

Promobility Inc.
Tyger Team Consultants, Ltd.
Internet Management Services Inc.
LTA Media LLC
Feelgoodfalls.com

Note: Pages will open in a new browser window

External sites are not endorsed by CNN Interactive.