A highly organized ring1 of hackers has stolen more than a million credit card numbers over the past few months from commercial Web sites across2 the United States, using a well-known three-year-old vulnerability in a Microsoft operating system, the FBI said few days ago.
About 40 sites in 20 states have been compromised and the hackers have tried to blackmail3 businesses by threatening4 public embarrassment5 if the companies did not pay them or at least hire6 them to fix their systems.
The FBI said most of the attacks came from Russia and Ukraine.
The FBI would not comment about specific cases or say in a background briefing7 how it had identified the group of hackers. In several recent incidents hackers have demanded8 $100,000 from companies such as CD Universe and Creditcards.com. When their demands were ignored, they posted tens of thousands of credit card numbers online.
FBI spokeswoman9 Debbie Weierman would not say whether any company had paid the hackers. But the FBI said in a prepared statement that "there has been evidence that the stolen information is at risk whether or not the victim cooperates with the demands of the intruders10."
The back doors the hackers used to slip into the Web sites were known to be a problem as early as 1998.
Vulnerabilities in Microsoft Corp.'s Windows NT operating system allow unauthorized users to access files, disable11 security measures or even to crash12 computers, the FBI said.
Weierman said the bureau took the unusual step of releasing information about a pending13 investigation because there are quick and easy ways of fixing the problems. Free patches14 are available for download from www.microsoft.com.
Microsoft already has issued several news releases about the problems. The National Infrastructure Protection Center issued an alert in December. Still, Weierman said, "not everyone has heeded15 the importance and the severity of this situation." She said the hackers had already done hundreds of thousands of dollars in damage.
The FBI's announcement followed the exposure16 of security problems at a number of commercial online operations, including the CD Universe and Western Union Web sites and America Online's proprietary service. The attacks renew questions about whether the Internet is mature enough to handle17 the increasing number of the financial transactions taking place on it each day.
Security experts said that break-ins18 highlight19 show how many of the online world's security problems are caused by simple human error. Brian Martin, who runs the Attrition.org security site, said the Windows NT vulnerabilities are things that come up in Computer Security 101.
"It's an ancient hack20 that everyone should know about," he said. "But in reality it takes years and years for some people to realize it's a problem."
Amit Yoran, a former computer security officer for the Defense Department and now head of Riptech Inc. in Alexandria, said part of the problem is that many of the people who hastily21 constructed Web sites during the past few years assumed that putting commercially available electronic firewalls around their systems would protect them.
But with new attack strategies appearing on hacker Web sites all the time, that obviously is not enough, Yoran said.