[ISN] Online blackmailer leaks hacked data

From: InfoSec News (isnat_private)
Date: Fri Oct 12 2001 - 05:34:14 PDT

  • Next message: InfoSec News: "Re: [ISN] White House asks companies for help with new government computer network"

    By Greg Sandoval
    Special to ZDNet News 
    October 11, 2001 3:46 PM PT
    An online gift certificate company said a hacker that blackmailed it
    for weeks after pilfering its customer information has apparently
    carried out threats of disclosing the data to its customers.  
    Webcertificate.com customers reported getting an e-mail message that
    included their home and e-mail addresses.
    "I hate to inform you that your account has been hacked," said the
    e-mail, viewed by this reporter, from someone identified as Zilterio.
    Webcertificate, a unit of electronic-payment company Ecount, was
    hacked Aug. 21, a representative said. Shortly afterward, the hacker,
    who also claimed to have stolen credit card numbers of 350,000 of the
    company's customers, contacted Philadelphia-based Ecount and tried to
    extort the company, said Matt Gillin, Ecount's chief executive. The
    caller demanded $45,000 in exchange for not disclosing the
    The company refused to meet the demands, Gillin said.
    After notifying the FBI, Ecount informed customers Aug. 28 that the
    break-in had occurred, and it assured them that their credit card
    information was safe. Because the company stores credit card
    information offline, it would be impossible for the hacker to steal it
    What the hacker thought were credit card numbers were really 16-digit
    serial numbers used to identify gift certificates. Ecount has canceled
    those codes. "There is no financial liability to the company or our
    customers," Gillin said.
    The FBI could not be reached for comment.
    Hackers continue to plague the Internet even as technology companies
    have poured millions of dollars into developing security technology.
    But the costs of fortifying a Web site with the latest security
    technology can be enormous, and often hackers prove to be more than a
    match for the electronic barricades.
    Companies such as Amazon.com-owned book service Bibliofind.com,
    Creditcards.com and Egghead.com, which recently filed for bankruptcy
    protection, have seen their sites broken into and customer
    information--in some cases, credit card information--swiped by
    Executives of Ecount said they anticipated the hacker would e-mail
    customers whose information was stolen. Last week, the company tried
    to pre-empt the hacker when it warned customers to expect a message
    from the hacker and informed them why the company would not agree to
    the hacker's demands.
    In the e-mail to Webcertificate customers from Zilterio, the author
    declares that the security breach was a result of "weak security," an
    apparent attempt to embarrass the company.
    Ecount said the attempt to undermine the company's relationship with
    its customers failed; most customers support the company in its
    fighting against Internet thieves. But some damage may have been done.
    One customer told this reporter that she would no longer use
    "This disturbs me, that this guy has all of my personal information,"
    said Nancy Parker, a frequent Webcertificate customer over the past
    two years who was shocked to see her personal information in the
    e-mail. "What's from keeping it from happening again?"
    Gillin said that immediately after the attacks, the company began
    bolstering the site's security.
    "We're doing all we can to make sure that this never happens again,"
    he said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Oct 12 2001 - 09:04:16 PDT