[ISN] Porn Biller Says It Was Framed

InfoSec News isn at c4i.org
Fri Mar 10 01:19:09 EST 2006


By Quinn Norton
Mar, 09, 2006 

Online payment company iBill on Thursday said a massive cache of
stolen consumer data uncovered by security experts did not come from
its database.

"I'm the first person that would have taken this to the FBI and the
first person to have gone on 60 Minutes to say 'we screwed up,' if
that were the case," said iBill President Gary Spaniak Jr.

Two caches of stolen data were discovered separately by two security
companies while conducting routine research into malicious software
online. Both had file names that purportedly linked them to iBill.

Southern California-based Secure Science Corporation found the first
data file containing records on 17 million individuals on a private
website set up by scammers. The site was part of a so-called
"phishing" scheme, in which a spamming fraudster poses as a bank or
online retailer in an attempt to con consumers out of identification
and financial information.

Secure Science found that data in February 2005, and reported it to
the FBI's Miami field office, the company says. An additional list of
slightly over 1 million individual entries was uncovered on a spamming
website by Sunbelt Software last month, where it was labeled
Ibill_1m.txt. That list appeared to date from 2003.

The databases, examined by Wired News, include names, phone numbers,
addresses, e-mail addresses and internet IP addresses of customers
making online purchases. Other fields in the compromised databases
appear to be logins and passwords, credit-card types and purchase
amounts, but credit-card numbers are not included.

But Spaniak says iBill cross referenced the 17 million transaction
database against its own on Wednesday, and that only three e-mail
addresses matched between the two.

Additionally, some entries in the stolen databases were identified as
purchases on Diner's Club cards, which iBill says it has never
accepted in its nine year history. Spaniak says iBill recently passed
a security audit that found its databases well secured.

SunBelt Software couldn't immediately be reached for comment Thursday.  
But Secure Science's Lance James backed away from his conclusion that
iBill, which processes most of its transactions on behalf of adult
services, was the source of the leak. He says pornography transaction
databases may be considered especially desirable to spammers, and that
a criminal may have deliberately mislabeled a database taken from
another source "This might be part of a new hacker establishing their
reputation," says James. "They could say, 'I hacked iBill.'"

Wired News found that entries from the smaller cache of one million
consumers are listed as mortgage leads on a spammer community site,
specialham.com. A Google search turns up scores of offers on
specialham.com for purported iBill databases, one of them advertising
"20mill ibill list w/Full data from 2003" for $300. But in one
message, a spammer slams an underground vendor for selling him a fake
iBill list.

Other offers on the site purport to sell data from competing internet
billing firm CCBill, which says that it isn't aware of having been
breached either.

Spaniak has his own theory on why a data thief might falsely link a
database to iBill. He believes it's an outgrowth of animosity in the
adult website community dating from the time when the trouble-plagued
company was forced to suspend payments to its webmaster customers.

He says as long as iBill stays in business, it will try to repay those
webmasters. "Over $20 million has been paid back, we have plans for
paying back another $18 million."

James says the actual source of the stolen data remains a mystery. An
FBI spokeswoman says the bureau wouldn't investigate the breach unless
the source of the leak comes forward to make a complaint.

More information about the ISN mailing list