Researchers at Kaspersky Lab in Germany have discovered a message board with hundreds of stolen credit card numbers and other sensitive data, including ATM and credit card pin numbers, names and addresses of cardholders, email addresses, and other account details.
The site had been posting the information since August 2005 and, as of last week, there were 60 additional stolen accounts on the site, which contained over 300 credit card numbers, Kaspersky virus analyst Magnus Kalkuhl blogged this week.
As of today, another 63 stolen accounts were posted on the site.
"This is all in the day's work of a virus researcher," says Shane Coursen, senior technical consultant for Kaspersky. Researchers often find malware that points them to malicious sites such as this, he says.
Interestingly, Kaspersky researchers had trouble at first getting the attention of German authorities, as well as of Visa and Mastercard. "As a last resort, we called the customer emergency number," Kalkuhl reports in his blog. And the exchange with the credit card companies went like this:
- "We're calling from Kaspersky Lab, an IT security company; we've found a Website which has hundreds of your customers' credit card numbers on it. Could you please tell us who in your company we should contact?"
- Credit card company: "Er -- could you please give me your credit card number, Sir?"
The team then looped in Kaspersky's U.S. office, which contacted the credit card companies as well as the FBI. Kaspersky is now in the process of taking down the illicit Website, according to Kalkuhl, who initially called one of the victims whose information was found on the site to confirm the account numbers were legitimate.
Given the continuing investigation, Kaspersky would not reveal the URL of the malicious site.
Nonetheless, Kalkuhl remains uneasy about how difficult it was to report the problem. "If you lose your credit card, you're obliged to inform the card issuer asap. And credit card companies do provide emergency numbers to make this easier," he writes in his blog. "But the story above shows that if, like us, you come across more than 300 stolen numbers, it's going to be a bit more difficult."
The trouble is law enforcement and credit card companies are not set up to counter mass fraud, says Richard Stiennon, founder of IT-Harvest. "They wait until after the theft is reported by the credit card owner, and then they cover the losses," Stiennon says.
Kaspersky was unable to provide more details due to the ongoing investigation, so it wasn't clear just how the data was being stolen or disseminated.
"Unfortunately, this kind of discovery of a malicious site is very common," Coursen says. But it's usually a trove of stolen passwords, for instance, not credit card numbers.
Kelly Jackson Higgins, Senior Editor, Dark Reading