A hacker attack on a New York e-commerce site is the latest in a string of online break-ins in which credit card numbers were stolen and posted to the Web, sources told CNET News.com today.
Since late January, at least eight small e-commerce sites have been hacked exploiting a known security hole in Microsoft software, according to a security investigator and companies and individuals affected by the attacks. The companies were listed on a taunting Web site posted by a hacker named "Curador" claiming credit for the attacks and listing thousands of stolen credit card numbers, sources said. He claims he seized more than 23,000 credit card numbers.
The incidents come amid heightened concern about Web security after other high-profile attacks. In January, several top-tier sites, including Yahoo and eBay, were shut down after being flooded with requests for information in "denial of service" attacks. No customer or company data were stolen in those attacks.
But close to 350,000 credit card numbers were stolen that same month from music site CD Universe and posted online. A hacker going by the name "Maxus" claimed he had the numbers and tried to extort $100,000 from the Web site. The FBI shut down the site where the credit card numbers had been posted.
Executives at wireless phone site Promobility.net and SalesGate.com confirmed the new attacks, as did the company that provided the Web software for LTA Media and Feelgoodfalls.com sites.
A security consultant hired by LTA Media said the first attack targeted a Thai shopping site. Since then, sites in the United States, Canada and the United Kingdom have been hit, said Chris Davis, a Canadian security consultant with Tyger Team who has been retained to investigate the new case.
Law enforcement agencies in several countries are investigating the attack, according to companies who reported the break-ins to Canadian and U.S. officials. Authorities from the U.S. Secret Service, FBI and the Royal Canadian Mounted Police all declined to comment on the case.
The hackers broke in using a security hole in Microsoft's e-commerce Web server software, allowing the download of customer transaction records, several victims said. Curador taunted the victims--and Bill Gates--on his Web site, which was paid for with one of the stolen credit card numbers.
"I would like to thank the nice people at ALL the Sites I Cracked for having left their entire sales database, readable & writeable for any one who bothered to check their site out," Curador wrote on a Web site saved by Davis, who is continuing to investigate the case. "Maybe one day people will set up their sites properly before they start trading because otherwise this won't be the last page I post to the NET," the message read