[ISN] Porn Billing Leak Exposes Buyers

InfoSec News isn at c4i.org
Thu Mar 9 01:33:43 EST 2006


By Quinn Norton
Mar, 08, 2006

Seventeen million customers of the online payment service iBill have
had their personal information released onto the internet, where it's
been bought and sold in a black market made up of fraud artists and
spammers, security experts say.

The stolen data, examined by Wired News, includes names, phone
numbers, addresses, e-mail addresses and internet IP addresses. Other
fields in the compromised databases appear to be logins and passwords,
credit-card types and purchase amounts, but credit-card numbers are
not included.

The breach has broad privacy implications for the victims. Until it
was brought low by legal and financial difficulties, iBill was a top
credit-card processor for adult entertainment websites -- providing
billing services for such outlets as DominaBDSM and Top-Nude.com.

The transactions documented in the database are dated between 1998 and
2003, spanning a period at the height of iBill's success.

The company didn't respond to repeated e-mail and telephone inquires
by Wired News.

Two caches of stolen iBill customer data were discovered separately by
two security companies while conducting routine research into
malicious software online.

Southern California-based Secure Science Corporation found the first
data file containing records on 17 million individuals on a private
website set up by scammers. The site was part of a so-called
"phishing" scheme, in which a spamming fraudster poses as a bank or
online retailer in an attempt to con consumers out of identification
and financial information.

Secure Science found that data in February 2005, and reported it to
the FBI's Miami field office, the company says. The FBI declined

Last month, Sunbelt Software found an additional list of slightly over
1 million individual entries labeled Ibill_1m.txt on a spamming
website. That list appeared to date from 2003.

IBill has a troubled history. Founded in 1997 by executives of a
Florida-based BBS software developer, by 2002 iBill was a big player
in internet billing, processing approximately $400 million in credit
card transactions per year, according to SEC filings. The company took
15 percent off the top in fees. Todd Dugas, a former inside sales
representative for iBill, estimates that pornography made up 85
percent of the business.

But when Atlanta-based InterCept acquired iBill for $120 million in
2002, it immediately encountered problems. New rules from Visa made it
more complicated and costly to process adult website transactions, and
"accounts dropped like flies," says Dugas. Meanwhile MasterCard levied
$5.85 million in fines against iBill for an unusually high volume of
"charge backs" -- consumer-disputed charges -- though InterCept
managed to recoup most of the fine from iBill's previous owners.

In September 2004, iBill lost the contract with its upstream
credit-card processor, First Data, which had grown wary of being
associated with adult content. Website operators relying on iBill for
payments had to wait months for their checks while First Data held the
money in escrow. Roger Jacobs, who followed the story of iBill for
adult industry publications AVN and XBiz, described low morale and a
hemorrhaging of employees during this period.

Lance James of Secure Science and Adam Thomas of Sunbelt Software
speculate that the company's troubles may have left them vulnerable to
information embezzlement: The breach, they say, has all the markings
of an inside job. The files appear to have been generated by exporting
an SQL database into a CSV format -- a procedure that would be
unusually extravagant for a quick, furtive hack attack. Moreover, at
4.5 gigabytes in size, the larger file would have been tough to
download unnoticed over iBill's internet connection.

Thomas speculates that an employee or other insider may have simply
walked out of iBill with the transaction records to sell on the data
black market.

What happened with the records from there is anyone's guess. The 1
million addresses found by Sunbelt Software were being used for
spamming. Sunbelt found the database by tracing malware-infected
computers as they connected to the internet to refresh their list of
spam targets. The target list turned out to be the iBill database,
hosted on a rogue website.

Secure Science's James says the 17 million database entries he found
is prime data for spamming, phishing attacks, pretext phone calls and
even possible hacking of vulnerable computers at the IP addresses

Independently, Wired News found that entries from the smaller cache
are listed as mortgage leads on a spammer community site,
specialham.com. (The website's homepage offered no contact information
and Wired News was unable to reach the registered owner of the domain,
one "Juice Wobble.") This suggests that the database was marketed as a
lead list for outside businesses. "I can attest to the fact that this
goes on with phishing groups," says James. "They break in and steal
leads and then sell those leads to (black market) leads companies, who
resell them to legitimate companies, and sometimes the same companies
they stole them from."

"The fact that a total of 17,781,462 iBill records have been found in
the hands of criminal hackers is quite disturbing, be it an inside job
or the successful work of criminal hackers," says Thomas.

Contacted by Wired News, one of the victims of the breach expressed
dismay that his information was in the hands of criminals. The
41-year-old San Diego man says he allowed a "business partner" to use
his credit card on an adult website dedicated to finding resources in
Tijuana's red light district, with discussion groups and locations of

"Life is difficult enough," says the victim. "It makes the net that
much less secure in my eyes.... I plan to not use any credit card
information on any site."

The man says that neither iBill nor the FBI notified him of the

Because the information didn't include Social Security, credit-card or
driver's-license numbers, no U.S. laws require iBill or the companies
for which they provided billing to warn victims. A year after the FBI
first learned of the larger leak, they have also failed to issue any
public warnings.

In January of last year, iBill was purchased by Interactive Brand
Development for $23.5 million. On Monday, IBD's stock closed at 8
cents a share in over-the-counter trading.

More information about the ISN mailing list