This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Content-Type: TEXT/PLAIN; charset=UTF-8
By Brian Krebs
washingtonpost.com Staff Writer
September 28, 2006
Schuyler Cole needed an accessory for his Palm Treo 600 smartphone, so
the Haleiwa, Hawaii, resident fired up his Web browser last month and
ran a Google search.
After scanning the search results, he purchased the inexpensive item --
a USB cable used to synchronize the Treo's settings with his personal
computer -- from Cellhut.com, the first online store displayed in the
results that looked like it carried the cable. The site featured a
"Hackersafe" logo indicating that the site's security had been verified
within the past 24 hours.
Later that day, information from Cole's purchase --- including his name,
address, credit card and phone numbers, and the date and exact time of
the transaction --- were posted into an online forum that caters to
criminals engaged in credit card and identity theft. Ostensibly, the
data on Cole was posted as an enticement to other fraudsters lurking on
the forum who might be interested in buying large numbers of similar
Other personal data posted into the fraud forum included the personal
and financial information for Shane Galloway, an 18-year-old freshman at
Louisiana State University in Baton Rouge. When contacted by
washingtonpost.com, Galloway said he purchased a wireless phone from
Cellhut.com shortly after midnight on Sept. 6, just minutes after the
time stamp on Cole's purchase.
Another individual whose data was found in the online chat channel --- a
southern California resident who asked that his name not be used ---
confirmed that he bought wireless accessories from Cellhut.com at 9:15
a.m. on Sept. 7, the exact time listed in the entry that was posted into
the online forum along with his credit card data and other personal
information. Later, he discovered that $6,000 in fraudulent charges were
made using his credit card.
While public attention has remain fixed on a series of high-profile data
losses or database breaches at federal government agencies, large
corporations and universities, experts who study financial fraud say
hackers increasingly are targeting small, commercial Web sites. In some
cases, criminals are able to gain real-time access to the sites'
transaction information, allowing them to steal valid credit card
numbers and quickly charge large numbers of fraudulent purchases.
Small e-businesses offer fewer total victims, but they often present a
softer target, either due to flaws in the software merchants use to
process online orders or an over reliance on outsourced Web site
Cole's and Galloway's information was recorded being traded in an online
chat room by Dan Clements, co-founder of CardCops.com, a fraud
prevention service that monitors underground chat rooms where criminals
trade in stolen credit cards and information used to commit identity
theft. Clements said many smaller online merchants use generic shopping
cart software that they fail to maintain with the latest software
"Most of these merchants that get hacked do not have updated versions of
the software that runs their business, they're just trying to sell
widgets," he said.
Nearly 80 percent of all software vulnerabilities discovered in the
first six months of 2006 involved Web-based applications produced by
hundreds of different software vendors, according to a report released
Monday by Cupertino, Calif.-based security vendor Symantec Corp.
"The people writing these applications often don't know very much about
Web-based vulnerabilities," said Alfred Huger, a senior director at
Symantec Security Response. "Many of these Web vulnerabilities are not
that difficult to discover and are very easy to exploit." False Sense of
Cellhut.com, like many e-commerce Web sites, features the "HackerSafe"
seal on its homepage proclaiming that the site "is tested and certified
daily to pass the FBI/SANS Internet Security Test." ScanAlert Inc., a
Napa, Calif.-based company that sells the service, scans some 75,000
online merchants each day for thousands of known Web site flaws.
ScanAlert is one of many companies providing third-party Web site
security audits to online businesses. Other players in this market
include Comodo Group Inc. of Jersey City, N.J., which markets its
HackerGuardian scanning service; Coral Gables, Fla.-based Xenitel and
its HackerFree seal; and the Verified Safe service from Lansing,
By and large, the companies offer a range of basic and advanced security
services that they say will assure Web customers that a site is doing
everything possible to protect their personal data. But computer
security experts are quick to question the effectiveness of these
"We hear from our assessor contacts who investigate (Web site)
breaches that most of the sites had previously passed vulnerability
scans," said Avivah Litan, a financial fraud analyst with the Stamford,
Conn. research firm Gartner Inc.
Hard data on the number of security breaches at small e-commerce
businesses is hard to come by, often because companies are not required
to disclose the information publicly, unlike public institutions and
large corporations where tougher security standards and notification
requirements are in place.
"Most of these breaches aren't being reported," said Litan. "The media
has kind of quieted down on this and now only reports on the big data
thefts. But I'd estimate that only about two percent of all data thefts
from online merchants get reported."
A washingtonpost.com investigation suggests that third-party security
seal programs may be more effective at winning the confidence of
fraud-weary online shoppers than in protecting customer data from online
theft. Over the course of 10 hours spent monitoring conversations on
online fraud forums, a washingtonpost.com reporter found conclusive
evidence of four commercial Web sites whose customer databases had been
compromised within the past month. None of the businesses was even aware
of the compromises before being contacted by the reporter.
Credit card records and transaction data posted into the online chat
room led back to six individuals who each confirmed making purchases at
camera and computer bargain site Leobarnet.com at the same time as the
time stamp attached to their records, transactions that spanned from
Sept. 2 to Sept. 8.
Brooklyn, N.Y.-based LeoBarnet.com owner Edmond Kabaz said his company's
site passed a series of vulnerabilities scans earlier this year from
Comodo, which offers online merchants its HackerGuardian seal and
vulnerability scanning services starting at $29.95 a month. Kabaz said
fewer than 100 customers were affected by the breach, which he said
occurred as early as March and was the result of a weakness in the
shared Web server his site was hosted on. As of Oct. 1, Kabaz said
LeoBarnet.com will be hosted on a dedicated server with a different
hosting provider, and his site will feature the HackerSafe logo from
washingtonpost.com also found data and transaction information for three
customers of another HackerSafe client: Batatvia, N.Y.-based
Wonderfulbuys.com, which bills itself as the largest online distributor
of "As-Seen-On-TV products."
Wonderfulbuys's customer service manager Frank Joseph initially said the
site was "unhackable" after being contacted by a washingtonpost.com.com
reporter. But a subsequent manual review by ScanAlert determined that
hackers broke into Wonderfulbuys's database through a previously
undocumented security hole in the site's shopping cart software, which
the company had custom-made by a third-party software development firm
based in India.
CardCops.com's Clements said his company has confirmed the compromise of
more than 500 commercial Web sites over the past three years simply by
correlating data found in online fraud forums.
"Even when you show them conclusive evidence that they've been hacked --
data from multiple customers and presented in the same form field
format, about 80 percent of the time the merchant will deny it, and
often times when they do finally figure out they've been hacked they
Jason Lam, who teaches a course on securing Web sites for the SANS
Institute, a Bethesda, Md.-based security research and training group,
estimated that Web site scanning services in most cases only identify
about 60 percent of a Web site's potential security problems.
"Having one of these scanning services in place is definitely better
than nothing because a lot of small and medium sized online stores don't
have the staff in place to make sure their applications are secure," Lam
said. "That said, a lot of [e-commerce] software is very customized and
a lot of the problems in Web applications are logic-based, can't easily
be found by machines, and require manual testing."
The data security problem at Web businesses is big enough that Visa,
MasterCard and other major credit-card companies this month demanded
tougher security guidelines for all online merchants, new standards that
can spell heavy fines if ignored or flouted.
According to a report released this month by VISA, four-out-of-five of
the top causes of card-related breaches were digital security weaknesses
common at merchants large and small, including missing or outdated
software security patches, misconfigured Web servers, and the use of
vendor-supplied default passwords and settings, all of which are a
violation of new payment card industry standards.
Cellhut.com manager Khalid Singh said the company is not sure how the
data was compromised, and that it is working with ScanAlert to find the
source of the data breach.
Brett Oliphant, managing director of security services for ScanAlert,
said his company is still investigating the data breach, but that it
could find no obvious signs that the hack leveraged a flaw in Cellhut's
"We've identified several other areas where the data might have leaked
from -- including the payment processing and order fulfillment sides,"
Oliphant said that prior to becoming customers, roughly 75 percent of
the companies ScanAlert contracts with were vulnerable to some sort of
Web site flaw that hackers could use to steal sensitive data. Still, he
said, no amount of Web site scanning will prevent companies from losing
control of customer data if they fail to secure all of the means by
which that information is transmitted.
"Even when the Web site itself is secure, there are all kinds of other
points in the chain that need to be secured."
=C2=A9 2006 Washingtonpost.Newsweek Interactive
Content-Type: text/plain; charset="us-ascii"
Donate online for the Ron Santo Walk to Cure Diabetes!