Credit Cards Being Stolen from Web Site.... "Real Time"

I am posting this as suggested by Michael Phillips of DASP.

We have a very serious issue which we have to date, been unable to correct.

We have a completely custom built web site, including e-commerce.

In October 2007, the host server was hacked and our web site was
erased with all of the backups (I know the backups should have been kept
offsite). The server was very severly compromised.

The web site logs indicated the hack came from Hanoi, Vietnam. We have located the computer from which the hack came, but it was probably "hijacked" and the real hack came from elsewhere. We are in the process of bringing the computer to the States to be examined.

We hired the original developer of the software and a couple of other IT people to collaborate in bringing our site back up and migrate to DASP.

The original developer is trying his hardest to find any security problems, etc, etc. He is also in the process of changing the coding to what he believes will be much more secure.

However, nearly every day we receive a call from a customer who says that their credit card was compromised shortly after having used our site. The stolen credit card is typically being used to: make wires from Western Union to Canada or other locations, Ancestry.com, FamilyTree.com, and other US web sites.

We do not make very much monye on this web site, so it does not pay to invest 20,000 to pay a top notch security firm to go over all of the code and apps. We are hopeful, if we can get over this "hurdle" that some time in the future that the site can be more productive financially.

Can anyone help??????

 

The first line of action within the U.S. should be an official legal report:
http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/filing-a-report.html

List of resources at the bottom of this page also (Even though this report is not related to ATM):
http://www.ftc.gov/bcp/conline/pubs/credit/atmcard.shtm

 

Thank you for your reply.

I believe that the agencies in your post are for the consumer who has had his/her credit card compromised from our web site. Most if not all of the consumers have filed with the local sheriff's office and maybe, in some cases, the FTC.

We have filed with the local sheriff's office who has a "cyber crimes unit". We have tried to file with the FBI, but they are not interested. Their response was "it's just part of the cost of doing business"

I am hoping that there is someone out there that can help us fix our problem so no more credit cards are compromised.

 

Hi,

Thank you for the reply.

It really bothers me that the FBI replies that this is just the cost of doing business. It makes me want to call the IG for DOJ. Even FBI.GOV has been hacked!! And, I think they have more money to spend on security than I do.

1) All of the credit cards are stored in a highly encrypted database. It seems that we do not have theft of any of this data.

2) I think the credit card data is being sent out as soon as it is entered. But, I do not know how. The code is all ASP. I have done searchs for @, .com, www, etc looking for locations where the information may be re-directed.

I did not write the code. But, if someone could make a suggestion how to find the embedded code, if it exists, would surely be appreciated.

 

HI,

The person who wrote the app has checked it out. He cannot find anything.

I have run a virus scan on the downloaded site.

Thanks

 

Hi there,

The site that was hacked, is that being hosted with DiscountASP?
If it is, I thought that all the hosted sites sat behind a firewall which should prevent this type of attack?
I suppose that as DASP is such a large and well used hosting service, it is prime ground for malicious attacks.
I'm now wondering whether our 'soon to be hosted site' could be next.

Look forward to an explanation.

Thanks
Terry

 

The question in my mind though is, how did the hackers gain access to your source code on the web server so that hey were able to plant the malicious code? Is'nt that what a firewall is supposed to prevent?

 

Hi,

Our previouse web site host service was compromised, so this was one possible way that our code was compromised.

To the best of my knowledge firewalls are not foolproof. Don't forget, even FBI.GOV has been hacked.

 

HiDave,excuse me going on here a bit but I'm still curious to understand how a hacker is able to gain access to the said sites source code on the web server then write and save to the file location where the tampered page is stored?
If the firweall only has say port 80 open for browsing and 21 and 21 for FTP, how is someone able to write to the page?

Also, we are currently looking at shopping cart software.
Q:If there is a requirement for the software that we choose to be installed on the webserver that our site is hosted on at DASP, is that a possibility?
What's the companies policy around that or are we restricted to using software that is currently installed on your web servers?

This thread has highlighted the vulnerability (possibly) of the shopping cart system that "Hacked" is using, so how do we tell a bullet proof piece of software from a vulnerable one? Any suggestions?

Thanks Dave,

Regards
TerryO

 

Hi,

Yes, the site is hosted with DASP

But, this does not mean "our problem" has anything to do with where we are hosting. It could be a web app problem, embedded malicious code or???

I am hoping that there is someone that will read these threads that can propose a solution which will not run into the tens of thousands of dollars.

 

Hi Terry,

Our site was originally hacked in October 2007. We traced the hack to Hanoi. We have gone to great lengths to have the disk picked up and returned to the US from that computer in Hanoi.

Here's a small sampling of other types of attacks that are possible:

session hijacking

sql injection

xss

packet sniffing

data based vulnerability

and, that's just a small sample

If you think that law enforcement will help, good luck. The FBI doesn't care. I don't know that local law enforcement has the skills.

Any site can be hacked if the hacker is determined. According to Urban Legend, the same person who hacked FBI.Gov, Apple.com, IBM.com and many other sites, even hacked NORAD.

Good Luck

 

Hacked,

I had come across some tools which scan your website and find out security holes. I was looking through Google once and found them. Try the product here http://www.acunetix.com/. I have not used it so am not sure how good it is.

HTH.

Regards,
Satish

 

Hi,

Thank you for your suggestion. I will give it a try.

In the meantime, we have had the following progress(?):

1. The original developer believes that he has found the source of the current hacks; SQL Injections.

2. We have deleted all archival data of credit cards stored on web site.

3. I have complained and sent more information to the FBI. They say they are "passing it along". I do not understand why the FBI takes this matter so seemingly lightly. Commerce cannot survive in an environment of lawlessness. My site, is no different than anyone else's. If there is a concerted effort to hack the site it can be done. According to my developer, there was a concerted effort.

4. If there is not a genuine interest on the part of the FBI, then I will ask one of the IG's for Dept of Treasury for their assistance. The experience that we have had with hacking and the FBI's response I would suspect is no different than many other cases in this country.

Best Regards,

 

I didn't want to start a "The FBI helped me" response but...
They have helped me twice with hacks.
ASP commerce and with a vendor that used our records, while I was a lead developer forCimtek Commerce.
However...Both times they helped were before 9/11, and things have definitely changed so I kept quiet.

 

Hi,

Could you make a suggestion how to have the FBI help?

I think that as long as there are sustained attacks, no site is safe.

Thanks

 

To be honest I don't have any inside information, we always used their official sites.
I used their official site a few years ago also and they did help.
Used one of my Debit cards to upgrade some professional software online and my card was hacked for $1,300 by some Philippines.
The FBI resolved that one quickly, within a week.
Silly thing was the hackers used my card to create a club site on-line with their own names.

 

I am afraid that it is pretty unlikely that the FBI will help you. Note that wisemx said they helped with his personal problem "years ago." I don't know how many years ago, but I would guess it is more than a few. Unless you are a large company, a government agency or there are threats of extortion or violence, you are going to have a hard time getting any official agency to investigate the problem. Online theft is so widespread now that I think it would be impossible to investigate it all, and the higher profile you or the case are, the more likely you'll get some results.

A few years ago the host I worked for (not DiscountASP) was compromised and logs indicated that a copy of the customer database was downloaded. In the interest of being polite I'll just say that the database design, security and everything else at this host was kind of rickety and substandard, so the customer database contained easily linked names, addresses and (unencrypted) credit card numbers for about 50,000 people. We called the FBI. They did a phone interview, said they would "follow up," and that was the last time we heard from them.

On the flipside of that, I have been interviewed by FBI agents twice and Scotland Yard agents once over information related to people who hacked government computers in the U.S. and U.K. So I think it's a matter of what they think is important (the Scotland Yard agents were pretty tight-lipped, but it must have been important for them to show up in California to ask me what I knew about an email address), and maybe more so, what they think will result in some success on their part. The stolen customer database of my old host went to an Eastern European country, and I think (this is my speculation only, of course) that the FBI looked at it and said, "We are never going to find these guys," and blew us off.

But if an article had come out in WIRED or the Los Angeles Times - "50,000 users credit card data compromised at some host!" - I think we may have received different treatment from the FBI. I don't know, that's just my take on it.

 

First let me say sorry to hear about your situation. Not knowing code and then being basically helpless against fixing or solving the problem must be a real tough.

Unfortunately if it is SQL Injection - classic ASP code is almost the easiest environment to perform this kind of "hack" because of the ease of coding crappy code.

But unless the code is written pretty poorly and in a rather generic way SQL Injection to query information is kind of tough to do with no knowledge of the db or schema.

I would venture to guess that if you old host got compromised then the "hacker" would be much better offinserting more generic scripts into each .asp page or at a lower level in IIS to submit form requests to a third party.But you said it is still happening after a migration to a new host correct?

I personally wouldn't waste my time with a small site trying to perform SQL injection against it unless it was a way too obvious coding mistake.

I do wish to state that it is your responsibility to ensure the safety of your customers data and sensitive information. If you hire developers that aren't trained correctly to save a buck then this is your fault. If you can't live with this then don't store CC's or even develop applications that operate in this environment. Sorry but there is a reason some developers work for 20 and hour and others 150 and hour - same goes for the cost of cookie cutter applications.

 

Forget it, re-write the website from scratch. You know the business-rules and login of your old site.

Do it on a NEW DASP account.