The Federal Bureau of Investigation (FBI) announced Friday that two Welsh teenagers have been arrested for allegedly hacking into 11 e-commerce sites and stealing information on more than 26,000 credit card accounts. Losses in the case could exceed $3 million (US$).
Raphael Gray, 18, and another unnamed teenager are being charged under the United Kingdom’s 1990 Computer Misuse Act and may also face charges in the United States. The British Broadcasting Corporation (BBC) is reporting that the two have been released on bail and are scheduled to “return to an undisclosed police station at an undisclosed date.”
In an interview with the E-Commerce Times, security expert Chris Davis, who worked on the investigation with the consulting firm TygerTeam, said the pair exploited two breaches to break into the systems. Davis said the first allowed them to locate security holes and the second allowed them to access data on supposedly secure servers. At least part of the problem was attributed to a flaw in Microsoft’s e-commerce Web server software.
Hackers Hit World Wide
Gray and the unnamed teen, acting under the screen name Curador, are accused of breaking into sites in Britain, the United States, Canada, Japan, and Thailand. The hacker attacks apparently began in January and targeted smaller e-commerce sites such as Feelgoodfalls.com, LTAMedia.com, and Promotobility.net. The hackers reportedly posted at least 1,000 of the stolen credit card numbers online and used them to charge — among other things — the registration of their domain name.
The duo was tracked down by an international task force that included the Welsh police, the FBI, the Royal Canadian Mounted Police and Internet security consultants. The FBI said the international banking and credit card industry also helped solve the case.
Hackers Needle Gates
Even Microsoft founder Bill Gates was not immune to the hacker attack. The Telegraph reported Sunday that the hackers e-mailed Gates’ credit card details to NBCi, a subsidiary of NBC.
In a message on their Web site, which has since been taken down, Curador said “Greetz to my friend Bill Gates, I think that any guy who sells Products Like SQL Server, with default world readable permissions can’t be all BAD.”
Call for International Policing
Davis called the attacks a “real wake-up call for the e-commerce community.” He also told the E-Commerce Times that “The most important lesson we can learn from this is that we need to establish a police force that handles nothing but crimes like this.”
Davis believes that an international force is the answer, because investigators working on this case narrowed the search for the hackers to two neighboring houses in the small town of Clunderwen within a week. However, it took another month to move in on them because of jurisdictional squabbles, most notably between the U.S. Secret Service and the FBI.
Davis believes these incidents were more serious than the much-publicized denial-of-service (DoS) attacks on popular Web sites last month, because sites were not actually compromised in those instances.