Undaunted by U.S. government vows to crack down on those who
pilfer credit card numbers from Web sites, a man going by the name
of “Curador” breached SalesGate.com in the latest of a
rash of cracks made by the hacker who claims he is trying to help
companies by illuminating weaknesses in their security systems.
In his latest attempt about a week ago, Curador lifted 2,000
records, including credit card numbers and other personal
information from SalesGate. SalesGate is a New York-based
marketplace “developed to help small and large businesses sell
online in a way that guarantees the protection of the user’s
personal information.” The firm extends this guarantee on its home
page, which may appear as a challenge to the hacker.
SalesGate co-founder Chris Keller confirmed Thursday that the
credit card numbers were lifted and said “a number of agencies,”
including the U.S. Secret Service “are working to catch” the
hacker.
As of Thursday, SalesGate has contacted customers affected by
the breach, cancelling the cards directly with the credit card
companies. It also warned them to beware of unauthorized charges
made.
Curador has also admitted to hacking into promobility.net, shoppingthailand.com and
LTAmedia.com in recent
weeks.
At the time of the shoppingthailand.com breach in which he took
5,000 credit card numbers, Curador held court on a Web site,
thanking Bill Gates for making “SQL servers with default world
readable permissions.”
“Maybe one day people will set up their sites properly before
they start trading because otherwise this won’t be the last page I
post to the NET,” wrote the cracker in a message at his site, which is mirrored
here.
Curador’s e-crackerce.com site, where Curador listed the stolen
card numbers, was recently taken down by the hosting company. Last
week, the counter at the site showed that it had been visited more
than 500 times, raising the question whether Curador had given out
the address in newsgroups or IRC channels devoted to stolen credit
cards.
Larry Hutchenson is the Webmaster for LTAMedia.com, which Curador cracked
around Feb. 3 and stole about 750 credit cards. While Curador’s
claimed at his site to be “the saint of ecommerce,” Hutchenson said
he’s just a crook.
“It would be one thing if the gentleman had sent an e-mail to me
or somebody else saying that ‘you have a security breach in your
area, you can do this’ — I mean the guy used outrageous stuff to
get in,” said Hutchenson. “If he had sent that stuff to me it would
be one thing. If somebody takes information that is stored on the
site, and it has been entrusted on that site and they steal that
information and use it, post it, or whatever, it is stealing.”
Tyger Team Consultants
was the first to notify LTAMedia about the break-in. Tyger’s Chris
Davis, who is investigating Curador’s activities, refuses to
believe that Curador’s actions are benevolent. He said the hacks
were made on systems with IIS and NT servers, which are not known
to provide excellent security. Furthermore, after conducting an
audit, he discovered Curador had installed a “back door” program in
which he could return to manipulate the site in the future.
“They (sites) may be vulnerable due to outside administrators
that doesn’t maybe understand all of the security implications that
come with IIS and NT, which there are several right out of the
box,” said Davis. “Why are you adding to their vulnerabilities
then? They secure their boxes to the best of their ability, this
kid breaks in to show that they’re not secure and he backdoors them
so that he can get back in whenever he wants and no one will know
about? And then he’s using their credit card numbers? It doesn’t
jive.”
In a Feb. 3 interview with InternetNews Radio, Curador said his
hacker name means “custodian” and that his actions come out of
“delusions of grandeur” based on the 1997 film “The Saint” in which
a thief steals jewels, but then helps people.
When asked if he thought he would get caught, Curador, who many
say has not adequately covered his tracks, tried to be
realistic.
“Everybody gets caught sooner or later,” he said. “I don’t think
what I am doing is technically illegal. I am publishing numbers
that are public property on sites — I am not selling them to
people.”
Curador said he is trying to show that a well-known RDS bug on
Microsoft’s (MSFT)
NT servers is easily manipulated to control an entire server.
Experts say RDS may affect as much as 80 percent of those companies
running Windows NT servers.
The electronic assault is also the latest in a rash of hacks
made in the last two months on companies as large as eBay Inc. (EBAY)
and as small as CDuniverse, a Wallingford-based firm who had more
than 300,000 credit card numbers taken by a self-described
18-year-old hacker named “Maxus” last January.
Secret Service officials were trying to link attacks on other
major companies such as Datek,
Amazon.com Amazon.com Inc. (AMZN)
and Yahoo! Inc. (YHOO).
Related Story:
CNET News.com:
Hacker attack latest in string of online credit card thefts
(Mar 03, 2000)