[ISN] Hackers cash in on e-commerce bug

From: InfoSec News (isnat_private)
Date: Thu May 17 2001 - 19:21:22 PDT

  • Next message: Jay D. Dyson: "[ISN] Torvalds Blasts Microsoft's Mundie on Open Source."

    http://www.zdnet.com/zdnn/stories/news/0,4586,2761859,00.html
    
    By Bob Sullivan
    MSNBC 
    May 17, 2001 3:46 PM PT
    
    In April, a devastating bug was found in shopping cart software called
    "PDG" that exposed all customer records on about 4,000 Web sites. The
    FBI issued a public warning directed at the software's customers, but
    a small e-commerce Web site named SawyerDesign.com didn't notice.
    
    Within days, computer criminals had a field day, racking up thousands
    of dollars of charges on victims cards at gambling sites, buying phone
    cards and downloading pricey software. Here's a look at the chaos
    caused in people's lives by one simple technology mistake.
    
    "I had a nightmarish situation last month, there were $6,000 in
    charges. This month, $2,000. Most at gambling sites, and places like
    Firecash.com, cash services," said Hunter Culberson of Tullahoma,
    Tenn. "Visa has credited me, but it has been a nightmare. . . . The
    bad thing is my wife told me no more Internet purchases from our
    house, which is a main vehicle for my shopping. "
    
    The "nightmare" centers around a Kansas City, Mo., sports memorabilia
    display company named SawyerDesign.com and e-commerce shopping
    software called PDG. In April, PDG Software Inc. revealed that
    computer criminals had figured out a way to easily break into its
    software and raid customer accounts--the trick was so easy, it
    involved discovering only a single URL. The flaw was so severe that
    PDG went to the FBI, which issued an alert saying "hackers are
    actively exploiting it" and "the vulnerability has already resulted in
    compromise and theft of important information, including consumer
    data."
    
    But SawyerDesign.com's operators, Regal Plastic Supply, missed the
    warning. Within a few days, and up until this weekend, computer
    criminals had a field day with the site, raiding its database
    liberally. The flaw was fixed after MSNBC.com notified the company.
    
    Assessing blame for the incident is a bit dicey. PDG Software issued a
    fix right away. And the company contacted the FBI and sent two e-mails
    describing the urgency of the problem to every customer who had
    purchased PDG.
    
    But Regal Plastic Supply never received the e-mail because it bought
    the software from a reseller. It's also easy to understand how Regal
    never noticed the warning on the FBI's National Infrastructure
    Protection Center Web site.
    
    And since the company garners only a trickle of transactions from the
    sports memorabilia display case site--its main business is real-world
    plastic supply--it's not surprising that the firm doesn't have a
    full-time system administrator applying patches to the $1,000 shopping
    cart software.
    
    That, however, is little comfort to the 100 or so victims of the
    Sawyerdesign.com heist, who started seeing charges on their credit
    cards starting last month. Nearly all of them had credit cards riddled
    with fraud charges, but none of them had any idea how their card
    numbers were stolen until contacted by MSNBC.com this weekend.
    
    "I tried to use my credit card and was told it was over max," John
    Hagerty said. "I contacted my bank and found that more than $4,000 had
    fraudulently been charged on my credit card. I had to contact these
    companies to whom the charges were billed, and had them send credits
    to my account. I still have a few to clear up."
    
    'We thought we had bought the best available software' Brenn McMillan,
    who works in production at Regal Plastic Supply, figures his company
    is also a victim.
    
    Sawyerdesign paid $1,000 for software that was flawed and wasn't
    alerted to the problem.
    
    "We thought we had been very on top of (the Web site). Well there was
    an update a month ago, the FBI was involved and we weren't told," he
    said. "We thought we had bought the best available software. We had no
    idea the shopping cart was accessible to every (computer criminal)."
    
    PDG President David Snyder did not exactly point the finger back at
    Regal, but he did say his firm did everything it could to publicize
    the flaw and the need to install a patch.
    
    "We had never had contact with Sawyerdesign before this, since a
    reseller sold them the package," he said. "The best we can do is
    publicize it...we told resellers they needed to contact their
    customers directly."
    
    The victims aren't responsible for the bad charges, and most are now
    well on the way to clearing the purchases off their credit. In some
    cases, the card-issuing bank noticed the fraud first and actually
    called the victim, then took care of the problems in one simple step.
    But others must sign and mail sworn statements for each charge they
    choose to contest, a laborious process.
    
    Amy Pisani of Ft. Lauderdale, Flor., had run two cards through the
    SawyerDesign.com system and both were compromised by computer
    criminals. Among the loot taken were a host of telephone cards, a
    "significant" purchase at Borders.com and a car stereo. But what
    bothers Pisani the most is the hassle.
    
    "They say it takes 60 days to investigate. Meanwhile, I'm still
    dealing with affidavits and getting the charges off my card. Frankly,
    it's a pain in the butt. And I don't like seeing the charges on my
    bills," Pisani said. "I found out about this on May 5 and I'm still
    taking care of this, still making phone calls. It's frustrating."
    
    Other victim's stories:
    
    "I first learned of the problem when a merchant (Access Phone) called
    me to try to verify that I wanted to set up a long distance phone
    account over the Internet. Of course I knew nothing about it. The lady
    said that the address listed for the credit card was not the same as
    whoever was trying to use it and that sets up a red flag to them.
    Thank goodness for that. We had just under $2,000 charged in 2 days
    before we caught it," wrote Mark Ainsworth;
    
    "The card was a cash-check card so all the stolen monies, and
    $400-plus came out of my account, which of course kicked in my ready
    reserve at 15 percent interest...the card has been canceled," wrote
    John Calhoun; "I noticed charges on my card about 5 days after he
    began his shopping spree. It is very interesting what this person has
    been purchasing (calling card minutes, web site domain names, digital
    camera). However, the majority of his purchases are from long distance
    phone companies," wrote Perry Chappell;
    
    "Two weeks ago, WACHOVIA notified me via snail mail that there was a
    possible fraud alert on my card and I immediately snuffed it and have
    received another one. Damage control will soon be under way. Thanks to
    you, I can now isolate every transaction from the 27th of June till
    present and will screen for any bad charges. Still, charges are so
    cryptic...and one cannot tell what state the charges originate or even
    some of the actual business names in those charges. I will glean over
    everything...you can bet on it," wrote Michael R. Brasch.
    
    But even if all the fraudulent charges are cleared from victims'
    accounts, flawed e-commerce software and unapplied software patches
    can leave a bad taste in customers' mouths and lingering doubts about
    what else was taken in the heist.
    
    "Unfortunately, my credit card company had already contacted me in
    reference to this situation," wrote Michael Lerner. "My credit card
    number was used to make a lot of fraudulent purchases, fortunately, I
    won't be held responsible for those purchases. However, I can't help
    but be concerned about my other personal information that was exposed;
    so often lately I have heard of people's identities being stolen/used.
    I guess at this point all we can do is hope that no other damage has
    been done."
    
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Fri May 18 2001 - 02:28:12 PDT