January 10, 2000

An Online Extortion Plot Results in Release of Credit Card Data

By JOHN MARKOFF

AN FRANCISCO -- A mysterious computer intruder has tried to extort $100,000 from an Internet music retailer after claiming to have copied its collection of more than 300,000 customer credit card files, which could be used by others to charge purchases online or by telephone.

Because the company, CD Universe, has refused to pay blackmail, the anonymous intruder has released some of the credit card files on the Internet. He also claims to have used some other credit card numbers to obtain money for himself.

Related Articles Internet Shows Signs of Becoming Top Marketplace in the Book Business (January 10, 2000) Government Figures Will Shed Little Light on Holiday Online Sales (January 10, 2000) Beanie Baby Scams and Identity Thefts (September 22, 1999)

The electronic shakedown attempt is likely to rekindle consumer concerns about the security of using credit cards for online purchases. And because the e-mail trail indicates the extortionist is somewhere in Eastern Europe -- perhaps Latvia, Bulgaria or Russia -- the case also demonstrates how the Internet can enable electronic outlaws to operate beyond the jurisdiction of United States law enforcement officials.

"The Internet creates a whole new class of criminals," said Elias Levy, chief technology officer of SecurityFocus.com, a computer security firm. On Friday Mr. Levy's company began alerting journalists to the existence of a World Wide Web site that the blackmailer had been using for two weeks to distribute perhaps 25,000 of the stolen card numbers to thousands of other people. That site was shut down early this morning.

"On the Internet you can have criminals coming from countries where we have no extradition treaties," Mr. Levy said. "How do you prosecute these people, or even investigate their crimes?"

This afternoon a Connecticut-based agent for the Federal Bureau of Investigation confirmed that CD Universe was a victim of an extortion attempt and said that the agency was investigating the crime. The agent would not comment further.

CD Universe is an online music store operated by eUniverse Inc., of Wallingford, Conn. An eUniverse executive said that the company had been cooperating with the F.B.I. in an effort to catch the extortionist.

"He definitely has CD Universe data," Brad D. Greenspan, chairman of eUniverse, said this evening. "Whether he hacked the site or got the data in some other way, I'm not sure exactly."

Mr. Greenspan said the company had begun sending e-mail notices to its customers, alerting them to the theft, and was working with credit card companies on a plan to help customers whose card numbers might have been stolen.

How can an Internet thief be pursued if he lives in another country?

A person who identified himself as the blackmailer and called himself Maxim -- "I am 19 and I am from Russia" -- said in an e-mail exchange with a reporter on Sunday that he had found and exploited a security flaw in the software that is used to protect financial information on the CDUniverse.com Web site. The person said he had attacked other e-commerce Web sites by the same method, but did not identify them.

The extortionist said he had sent a fax to CD Universe last month offering to destroy his cache of stolen credit card files if he was paid $100,000. After the company did not respond to his demands, he said, he began placing the credit card files on a Web site on Christmas Day.

The site, in operation until this morning, was called Maxus Credit Card Pipeline. There, with a single mouse click, a visitor could obtain a credit card number, name and address that the site claimed was obtained "directly from the biggest online shop database."

EUniverse, which besides Wallingford has offices in Chicago and San Francisco, operates a variety of Internet commercial services that include CD audio sales, DVD movie sales and online computer games. But with an estimated 300,000 customers, its CD Universe site is small, compared with the leader in online music, CDNow, whose site has some four million visitors a month.

The person identifying himself as Maxim e-mailed the reporter a list of 198 credit cards as proof of what he said was his successful theft of a much larger credit card database. A reporter's calls to several of the people whose credit card information was on this e-mail list -- or was available on the Maxus site -- indicated that at least those credit card numbers were real.

One of those individuals, a woman in Los Altos, Calif., who requested anonymity, confirmed she had been a CD Universe customer, though not recently. When told that her credit card data had been stolen, she said she would notify the authorities.

In a subsequent conversation, she said: "I called the San Francisco office of the F.B.I. and they told me that I should make certain that I had torn up the carbon copies of my credit card receipt. I had to explain to the agent that I had used my card over the Internet."

The Maxus site was shut down early today after a group of computer security experts who had learned of the Web site alerted Lightrealm Inc., an Internet carrier based in Kirkland, Wash. The blackmailer had been using Lightrealm's system to operate his site, apparently without the company's knowledge.

Before the Maxus site was shut down, a traffic counter on the site indicated that several thousand visitors had downloaded more than 25,000 credit card numbers from the system since Dec. 25.

In one of his e-mail messages today, Maxis said that he had been involved in the illegal use of credit cards since 1997. Originally, he wrote, he had tried to create a legal online company that would take payments with a credit card processing system. But then, he said, he found he could subvert ICVerify, a credit card verification software program. The program is sold by Cybercash Inc., an electronic commerce security company based in Reston, Va., whose software is widely used by e-commerce merchants.

"In 1998," he wrote, "I hacked in to a chain of shops and got ICVerify (Cybercash) program with necessary configuration files for transfering money."

He said that with the ICVerify program he had been able to make a charge on a credit card and then give a chargeback refund to a second credit card, a system he said gave him an "almost anonymous" offshore credit card account. He also claimed that he had been able to obtain cash from an automatic teller machine using this account, after performing "tricks" with ICVerify.

CD Universe employs ICVerify on its site, but Mr. Greenspan said that the company was not ready to conclude the blackmailer had manipulated that software to obtain the customer information.

Cybercash said today that it was investigating the claims. Its chairman, Daniel C. Lynch, said that about a year ago the company had found a security flaw in ICVerify, but had created a software "patch" for it and notified its clients. He said he did not know if all clients had installed the patch, though.

Mr. Greenspan said his chief technology officer had told him the company had routinely installed security patches to the program.

Maxim, in one of his e-mail messages today, said that it was more typical for him to sell stolen credit cards on the anonymous Internet "chat" system known as Internet Relay Chat or on a special electronic underground in which stolen credit card numbers are exchanged.

But he said that in the case of CD Universe he had faxed a message that stated, "pay me $100,000 and I'll fix your bugs and forget about your SHOP FOREVER.......or I'll sell your cards and tell about this incident in news."

---

Related Sites
These sites are not part of The New York Times on the Web, and The Times has no control over their content or availability.

• CD Universe

• SecurityFocus.com

• eUniverse Inc.

• Cybercash Inc.