From: thrasher@reece.net.au   
      
   Seventeen million customers of the online payment service iBill have   
   had their personal information released onto the internet, where it's   
   been bought and sold in a black market made up of fraud artists and   
   spammers, security experts say.   
      
   The stolen data, examined by Wired News, includes names, phone   
   numbers, addresses, e-mail addresses and internet IP addresses. Other   
   fields in the compromised databases appear to be logins and passwords,   
   credit-card types and purchase amounts, but credit-card numbers are   
   not included.   
      
   The breach has broad privacy implications for the victims. Until it   
   was brought low by legal and financial difficulties, iBill was a top   
   credit-card processor for adult entertainment websites -- providing   
   billing services for such outlets as DominaBDSM and Top-Nude.com.   
      
   The transactions documented in the database are dated between 1998 and   
   2005, spanning a period at the height of iBill's success.   
      
   The company didn't respond to repeated e-mail and telephone inquires   
   by Wired News.   
      
   Two caches of stolen iBill customer data were discovered separately by   
   two security companies while conducting routine research into   
   malicious software online.   
      
   Southern California-based Secure Science Corporation found the first   
   data file containing records on 17 million individuals on a private   
   website set up by scammers. The site was part of a so-called   
   "phishing" scheme, in which a spamming fraudster poses as a bank or   
   online retailer in an attempt to con consumers out of identification   
   and financial information.   
      
   Secure Science found that data in February 2005, and reported it to   
   the FBI's Miami field office, the company says. The FBI declined   
   comment.   
      
   Last month, Sunbelt Software found an additional list of slightly over   
   1 million individual entries labeled Ibill_1m.txt on a spamming   
   website. That list appeared to date from 2003.   
      
   IBill has a troubled history. Founded in 1997 by executives of a   
   Florida-based BBS software developer, by 2002 iBill was a big player   
   in internet billing, processing approximately $400 million in credit   
   card transactions per year, according to SEC filings. The company took   
   15 percent off the top in fees. Todd Dugas, a former inside sales   
   representative for iBill, estimates that pornography made up 85   
   percent of the business.   
      
   But when Atlanta-based InterCept acquired iBill for $120 million in   
   2002, it immediately encountered problems. New rules from Visa made it   
   more complicated and costly to process adult website transactions, and   
   "accounts dropped like flies," says Dugas. Meanwhile MasterCard levied   
   $5.85 million in fines against iBill for an unusually high volume of   
   "charge backs" -- consumer-disputed charges -- though InterCept   
   managed to recoup most of the fine from iBill's previous owners.   
      
   In September 2004, iBill lost the contract with its upstream   
   credit-card processor, First Data, which had grown wary of being   
   associated with adult content. Website operators relying on iBill for   
   payments had to wait months for their checks while First Data held the   
   money in escrow. Roger Jacobs, who followed the story of iBill for   
   adult industry publications AVN and XBiz, described low morale and a   
   hemorrhaging of employees during this period.   
      
   Lance James of Secure Science and Adam Thomas of Sunbelt Software   
   speculate that the company's troubles may have left them vulnerable to   
   information embezzlement: The breach, they say, has all the markings   
   of an inside job. The files appear to have been generated by exporting   
   an SQL database into a CSV format -- a procedure that would be   
   unusually extravagant for a quick, furtive hack attack. Moreover, at   
   4.5 gigabytes in size, the larger file would have been tough to   
   download unnoticed over iBill's internet connection.   
      
   Thomas speculates that an employee or other insider may have simply   
   walked out of iBill with the transaction records to sell on the data   
   black market.   
      
   What happened with the records from there is anyone's guess. The 1   
   million addresses found by Sunbelt Software were being used for   
   spamming. Sunbelt found the database by tracing malware-infected   
   computers as they connected to the internet to refresh their list of   
   spam targets. The target list turned out to be the iBill database,   
   hosted on a rogue website.   
      
   Secure Science's James says the 17 million database entries he found   
   is prime data for spamming, phishing attacks, pretext phone calls and   
   even possible hacking of vulnerable computers at the IP addresses   
   listed.   
      
   Independently, Wired News found that entries from the smaller cache   
   are listed as mortgage leads on a spammer community site,   
   specialham.com. (The website's homepage offered no contact information   
   and Wired News was unable to reach the registered owner of the domain,   
   one "Juice Wobble.") This suggests that the database was marketed as a   
   lead list for outside businesses. "I can attest to the fact that this   
   goes on with phishing groups," says James. "They break in and steal   
   leads and then sell those leads to (black market) leads companies, who   
   resell them to legitimate companies, and sometimes the same companies   
   they stole them from."   
      
   "The fact that a total of 17,781,462 iBill records have been found in   
   the hands of criminal hackers is quite disturbing, be it an inside job   
   or the successful work of criminal hackers," says Thomas.   
      
   Contacted by Wired News, one of the victims of the breach expressed   
   dismay that his information was in the hands of criminals. The   
   41-year-old San Diego man says he allowed a "business partner" to use   
   his credit card on an adult website dedicated to finding resources in   
   Tijuana's red light district, with discussion groups and locations of   
   prostitutes.   
      
   "Life is difficult enough," says the victim. "It makes the net that   
   much less secure in my eyes.... I plan to not use any credit card   
   information on any site."   
      
   The man says that neither iBill nor the FBI notified him of the   
   breach.   
      
   Because the information didn't include Social Security, credit-card or   
   driver's-license numbers, no U.S. laws require iBill or the companies   
   for which they provided billing to warn victims. A year after the FBI   
   first learned of the larger leak, they have also failed to issue any   
   public warnings.   
      
   In January of last year, iBill was purchased by Interactive Brand   
   Development for $23.5 million. On Monday, IBD's stock closed at 8   
   cents a share in over-the-counter trading.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)