Thursday, March 09, 2006

17 Million Adult Entertainment Website Users Have Their Personal Info Released On Internet
17M Adult Entertainment Website Users Have Their Personal Info Released On Internet...
By Quinn Norton

Seventeen million customers of the online payment service iBill have had their personal information released onto the internet, where it's been bought and sold in a black market made up of fraud artists and spammers, security experts say.

The stolen data, examined by Wired News, includes names, phone numbers, addresses, e-mail addresses and internet IP addresses. Other fields in the compromised databases appear to be logins and passwords, credit card types and purchase amounts, but credit card numbers are not included.

The breach has broad privacy implications for the victims. Until it was brought low by legal and financial difficulties, iBill was a top credit card processor for adult entertainment websites -- providing billing services for such outlets as DominaBDSM and

The transactions documented in the database are dated between 1998 and 2003, spanning a period at the height of iBill's success.

The company didn't respond to repeated e-mail and telephone inquires by Wired News.

Two caches of stolen iBill customer data were discovered separately by two security companies while conducting routine research into malicious software online.

Southern California-based Secure Science Corporation found the first data file containing records on 17 million individuals on a private website set up by scammers. The site was part of a so-called "phishing" scheme, in which a spamming fraudster poses as a bank or online retailer in an attempt to con consumers out of identification and financial information.

Secure Science found that data in February 2005, and reported it to the FBI's Miami field office, the company says. The FBI declined comment.

Last month, Sunbelt Software found an additional list of slightly over 1 million individual entries labeled Ibill_1m.txt on a spamming website. That list also appeared to date from 2003.

IBill has a troubled history. Founded in 1997 by executives of a Florida-based BBS software developer, by 2002 iBill was a big player in internet billing, processing approximately $400 million in credit card transactions per year, according to SEC filings. The company took 15 percent off the top in fees. Todd Dugas, a former inside sales representative for iBill, estimates that pornography made up 85 percent of the business.

But when Atlanta-based InterCept acquired iBill for $120 million in 2002, it immediately encountered problems. New rules from Visa made it more complicated and costly to process adult website transactions, and "accounts dropped like flies," says Dugas. Meanwhile MasterCard levied $5.85 million in fines against iBill for an unusually high volume of "charge backs" -- consumer-disputed charges -- though InterCept managed to recoup most of the fine from iBill's previous owners.

In September 2004, iBill lost the contract with its upstream credit card processor, First Data, which had grown wary of being associated with adult content. Website operators relying on iBill for payments had to wait months for their checks while First Data held the money in escrow. Roger Jacobs, who followed the story of iBill for adult industry publications AVN and XBiz, described low morale and a hemorrhaging of employees during this period..

Lance James of Secure Science and Adam Thomas of Sunbelt Software speculate that the company's troubles may have left them vulnerable to information embezzlement: The breach, they say, has all the markings of an inside job. The files appear to have been generated by exporting an SQL database into a CSV format -- a procedure that would be unusually extravagant for a quick, furtive hack-attack. Moreover, at 4.5 gigabytes in size, the larger file would have been tough to download unnoticed over iBill's internet connection.

Thomas speculates that an employee or other insider may have simply walked out of iBill with the transaction records to sell on the data black market.

What happened with the records from there is anyone's guess. The 1 million addresses found by Sunbelt Software were being used for spamming. Sunbelt found the database by tracing malware-infected computers as they connected to the internet to refresh their list of spam targets. The target list turned out to be the iBill database, hosted on a rogue website.

Secure Science's James says the 17 million database entries he found is prime data for spamming, phishing attacks, pretext phone calls, and even possible hacking of vulnerable computers at the IP addresses listed.

Independently, Wired News found that entries from the smaller cache are listed as mortgage leads on a spammer community site, (The website's homepage offered no contact information and Wired News was unable to reach the registered owner of the domain, one "Juice Wobble.") This suggests that the database was marketed as a lead list for outside businesses. "I can attest to the fact that this goes on with phishing groups," says James. "They break in and steal leads and then sell those leads to (black market) leads companies, who resell them to legitimate companies, and sometimes the same companies they stole them from."

"The fact that a total of 17,781,462 iBill records have been found in the hands of criminal hackers is quite disturbing, be it an inside job or the successful work of criminal hackers," says Thomas.

Contacted by Wired News, one of the victims of the breach expressed dismay that his information was in the hands of criminals. The 41-year-old San Diego man says he allowed a "business partner" to use his credit card on an adult website dedicated to finding resources in Tijuana's red light district, with discussion groups and locations of prostitutes.

"Life is difficult enough," says the victim. "It makes the net that much less secure in my eyes... I plan to not use any credit card information on any site."

The man says that neither iBill nor the FBI notified him of the breach.

Because the information didn't include Social Security, credit card or driver's license numbers, no U.S. laws require iBill or the companies for which they provided billing to warn victims. A year after the FBI first learned of the larger leak, they have also failed to issue any public warnings.

In January of last year, iBill was purchased by Interactive Brand Development for $23.5 million. On Monday, IBC's stock closed at 8 cents a share in over-the-counter trading.