Hackers pounce on Web site flaw
Time has apparently run out for Internet
e-commerce sites to fix a critical software flaw
that exposes customer credit card numbers. In
the past few days, dozens of URLs have been
posted in Internet chat rooms linking to small
Web sites that hadn’t patched their flawed
shopping cart programs. The flaw is so
widespread that some of the URLs containing
customer information are being picked up by
search engines — meaning finding hot cards is
almost as easy as conducting a search on Yahoo
or Google.
OFTEN IN THE computer security world,
vulnerabilities are announced that in the end appear to not
cause any real-world problems — what one might call a
“victimless vulnerability.” Much ado is made about a flaw in
a piece of software, but weeks and months later, there are
no stories of victims having been hit by a computer criminal
exploiting that flaw.
That’s hardly the case with a flaw revealed by PDG
Software Inc. back in April. In May, MSNBC.com
reported on a trickle of Web sites that had been victimized
by the problem, which lets criminals see complete order
information entered by Web site customers. Now, that
trickle seems to have turned into a flood.
While hundreds of sites have downloaded and installed
the necessary patch provided by software maker PDG
Software Inc., dozens of others have yet to do so.
And now, instructions on how the flaw works have
spread through the Internet’s underground, and exploiting it
is so trivial that several sites are being victimized each day.
For example, on
Monday, armed with
simple instructions
provided on a Web site,
MSNBC.com was able
to find eight sites
revealing information.
Finding the sites is easy
— it involves using a
particular search term
on a search site like
Google or Yahoo,
followed by one
additional cut-and-paste
operation. While most
sites uncovered using
this search method had
installed the patch, about one in 15 had not.
Each of the sites was informed of the issue via e-mail.
A source who requested anonymity told MSNBC.com
he has been monitoring chat rooms for signs of
PDG-exploited sites and says activity around the flaw has
reached fever pitch in the past week.
He provided MSNBC.com with chat room logs
detailing 19 other sites that had been posted during the
weekend, but most of those sites had fixed their problem by
Tuesday afternoon.
Each of the sites was a low-traffic,
low-transaction-volume e-commerce property — the seven
found by MSNBC.com revealed only about 100 credit
card numbers. But other critical information was also
revealed, such as merchant identification numbers used by
retailers to communicate with payment processing
companies. User names and passwords for credit card
verification systems were also exposed.
Credit card criminals can have a field day with such
information. For example, the merchant ID and verification
system login information gives card thieves an easy way to
test the credit limits on cards they’ve stolen.
The PDG Software flaw first revealed in April was so
widespread and easy to use that the FBI, through its
National Infrastructure Protection Center, issued a warning
about it on April 6. PDG Software Inc. also says it
attempted to contact each of its 2,000 customers, warning
of the need to install a fix.
But the company added that many customers
purchased the software through a third party, and in some
cases has no contact information for those customers.
In other cases, the company said, customers have
simply failed to act on warnings about the software.
Company President David Snyder said his company
has done everything it can to alert PDG users to the need to
install a patch. “If they get an e-mail and don’t read it or
don’t take action, we can’t go over there and install it for
them,” he said.
