[ISN] ID Thieves Turn Sights on Smaller E-Businesses

From: InfoSec News (alerts@private)
Date: Mon Oct 02 2006 - 00:49:50 PDT


http://www.washingtonpost.com/wp-dyn/content/article/2006/09/28/AR2006092800333.html

By Brian Krebs
washingtonpost.com Staff Writer
September 28, 2006

Schuyler Cole needed an accessory for his Palm Treo 600 smartphone, so 
the Haleiwa, Hawaii, resident fired up his Web browser last month and 
ran a Google search.

After scanning the search results, he purchased the inexpensive item -- 
a USB cable used to synchronize the Treo's settings with his personal 
computer -- from Cellhut.com, the first online store displayed in the 
results that looked like it carried the cable. The site featured a 
"Hackersafe" logo indicating that the site's security had been verified 
within the past 24 hours.

Later that day, information from Cole's purchase --- including his name, 
address, credit card and phone numbers, and the date and exact time of 
the transaction --- were posted into an online forum that caters to 
criminals engaged in credit card and identity theft.  Ostensibly, the 
data on Cole was posted as an enticement to other fraudsters lurking on 
the forum who might be interested in buying large numbers of similar 
records.

Other personal data posted into the fraud forum included the personal 
and financial information for Shane Galloway, an 18-year-old freshman at 
Louisiana State University in Baton Rouge. When contacted by 
washingtonpost.com, Galloway said he purchased a wireless phone from 
Cellhut.com shortly after midnight on Sept. 6, just minutes after the 
time stamp on Cole's purchase.

Another individual whose data was found in the online chat channel --- a 
southern California resident who asked that his name not be used --- 
confirmed that he bought wireless accessories from Cellhut.com at 9:15 
a.m. on Sept. 7, the exact time listed in the entry that was posted into 
the online forum along with his credit card data and other personal 
information. Later, he discovered that $6,000 in fraudulent charges were 
made using his credit card.

While public attention has remain fixed on a series of high-profile data 
losses or database breaches at federal government agencies, large 
corporations and universities, experts who study financial fraud say 
hackers increasingly are targeting small, commercial Web sites. In some 
cases, criminals are able to gain real-time access to the sites' 
transaction information, allowing them to steal valid credit card 
numbers and quickly charge large numbers of fraudulent purchases.

Small e-businesses offer fewer total victims, but they often present a 
softer target, either due to flaws in the software merchants use to 
process online orders or an over reliance on outsourced Web site 
security.

Cole's and Galloway's information was recorded being traded in an online 
chat room by Dan Clements, co-founder of CardCops.com, a fraud 
prevention service that monitors underground chat rooms where criminals 
trade in stolen credit cards and information used to commit identity 
theft. Clements said many smaller online merchants use generic shopping 
cart software that they fail to maintain with the latest software 
security patches.

"Most of these merchants that get hacked do not have updated versions of 
the software that runs their business, they're just trying to sell 
widgets," he said.

Nearly 80 percent of all software vulnerabilities discovered in the 
first six months of 2006 involved Web-based applications produced by 
hundreds of different software vendors, according to a report released 
Monday by Cupertino, Calif.-based security vendor Symantec Corp.

"The people writing these applications often don't know very much about 
Web-based vulnerabilities," said Alfred Huger, a senior director at 
Symantec Security Response. "Many of these Web vulnerabilities are not 
that difficult to discover and are very easy to exploit." False Sense of 
Security

Cellhut.com, like many e-commerce Web sites, features the "HackerSafe"  
seal on its homepage proclaiming that the site "is tested and certified 
daily to pass the FBI/SANS Internet Security Test."  ScanAlert Inc., a 
Napa, Calif.-based company that sells the service, scans some 75,000 
online merchants each day for thousands of known Web site flaws.

ScanAlert is one of many companies providing third-party Web site 
security audits to online businesses. Other players in this market 
include Comodo Group Inc. of Jersey City, N.J., which markets its 
HackerGuardian scanning service; Coral Gables, Fla.-based Xenitel and 
its HackerFree seal; and the Verified Safe service from Lansing, 
Mich.-based Periscan.

By and large, the companies offer a range of basic and advanced security 
services that they say will assure Web customers that a site is doing 
everything possible to protect their personal data. But computer 
security experts are quick to question the effectiveness of these 
services.

"We hear from our assessor contacts who investigate (Web site)  
breaches that most of the sites had previously passed vulnerability 
scans," said Avivah Litan, a financial fraud analyst with the Stamford, 
Conn. research firm Gartner Inc.

Hard data on the number of security breaches at small e-commerce 
businesses is hard to come by, often because companies are not required 
to disclose the information publicly, unlike public institutions and 
large corporations where tougher security standards and notification 
requirements are in place.

"Most of these breaches aren't being reported," said Litan. "The media 
has kind of quieted down on this and now only reports on the big data 
thefts. But I'd estimate that only about two percent of all data thefts 
from online merchants get reported."

A washingtonpost.com investigation suggests that third-party security 
seal programs may be more effective at winning the confidence of 
fraud-weary online shoppers than in protecting customer data from online 
theft. Over the course of 10 hours spent monitoring conversations on 
online fraud forums, a washingtonpost.com reporter found conclusive 
evidence of four commercial Web sites whose customer databases had been 
compromised within the past month. None of the businesses was even aware 
of the compromises before being contacted by the reporter.

Credit card records and transaction data posted into the online chat 
room led back to six individuals who each confirmed making purchases at 
camera and computer bargain site Leobarnet.com at the same time as the 
time stamp attached to their records, transactions that spanned from 
Sept. 2 to Sept. 8.

Brooklyn, N.Y.-based LeoBarnet.com owner Edmond Kabaz said his company's 
site passed a series of vulnerabilities scans earlier this year from 
Comodo, which offers online merchants its HackerGuardian seal and 
vulnerability scanning services starting at $29.95 a month.  Kabaz said 
fewer than 100 customers were affected by the breach, which he said 
occurred as early as March and was the result of a weakness in the 
shared Web server his site was hosted on. As of Oct. 1, Kabaz said 
LeoBarnet.com will be hosted on a dedicated server with a different 
hosting provider, and his site will feature the HackerSafe logo from 
ScanAlert.

washingtonpost.com also found data and transaction information for three 
customers of another HackerSafe client: Batatvia, N.Y.-based 
Wonderfulbuys.com, which bills itself as the largest online distributor 
of "As-Seen-On-TV products."

Wonderfulbuys's customer service manager Frank Joseph initially said the 
site was "unhackable" after being contacted by a washingtonpost.com.com 
reporter. But a subsequent manual review by ScanAlert determined that 
hackers broke into Wonderfulbuys's database through a previously 
undocumented security hole in the site's shopping cart software, which 
the company had custom-made by a third-party software development firm 
based in India.

CardCops.com's Clements said his company has confirmed the compromise of 
more than 500 commercial Web sites over the past three years simply by 
correlating data found in online fraud forums.

"Even when you show them conclusive evidence that they've been hacked -- 
data from multiple customers and presented in the same form field 
format, about 80 percent of the time the merchant will deny it, and 
often times when they do finally figure out they've been hacked they 
accuse us."

Jason Lam, who teaches a course on securing Web sites for the SANS 
Institute, a Bethesda, Md.-based security research and training group, 
estimated that Web site scanning services in most cases only identify 
about 60 percent of a Web site's potential security problems.

"Having one of these scanning services in place is definitely better 
than nothing because a lot of small and medium sized online stores don't 
have the staff in place to make sure their applications are secure," Lam 
said. "That said, a lot of [e-commerce] software is very customized and 
a lot of the problems in Web applications are logic-based, can't easily 
be found by machines, and require manual testing."

The data security problem at Web businesses is big enough that Visa, 
MasterCard and other major credit-card companies this month demanded 
tougher security guidelines for all online merchants, new standards that 
can spell heavy fines if ignored or flouted.

According to a report released this month by VISA, four-out-of-five of 
the top causes of card-related breaches were digital security weaknesses 
common at merchants large and small, including missing or outdated 
software security patches, misconfigured Web servers, and the use of 
vendor-supplied default passwords and settings, all of which are a 
violation of new payment card industry standards.

Cellhut.com manager Khalid Singh said the company is not sure how the 
data was compromised, and that it is working with ScanAlert to find the 
source of the data breach.

Brett Oliphant, managing director of security services for ScanAlert, 
said his company is still investigating the data breach, but that it 
could find no obvious signs that the hack leveraged a flaw in Cellhut's 
Web site.

"We've identified several other areas where the data might have leaked 
from -- including the payment processing and order fulfillment sides,"  
Oliphant said.

Oliphant said that prior to becoming customers, roughly 75 percent of 
the companies ScanAlert contracts with were vulnerable to some sort of 
Web site flaw that hackers could use to steal sensitive data. Still, he 
said, no amount of Web site scanning will prevent companies from losing 
control of customer data if they fail to secure all of the means by 
which that information is transmitted.

"Even when the Web site itself is secure, there are all kinds of other 
points in the chain that need to be secured."

© 2006 Washingtonpost.Newsweek Interactive



_________________________________
Donate online for the Ron Santo Walk to Cure Diabetes!
http://www.c4i.org/ethan.html



This archive was generated by hypermail 2.1.3 : Mon Oct 02 2006 - 01:05:19 PDT