The federal government's central computer-crime bureau reported today that there is an ongoing and organized series of hacker attacks against e-commerce Web sites that has resulted in the theft of more than 1 million individual credit-card numbers.
The National Infrastructure Protection Center said it has been working with the Federal Bureau of Investigation and the United States Secret Service for several months on the investigation and has identified more than 40 victim sites in 20 states.
The attackers, who appear to be located in the Ukraine and Russia, are exploiting numerous well-known and well-publicized vulnerabilities in Microsoft Corp.'s Windows NT software - some as many as three years old - to gain access to the various victim sites, the NPIC said.
Once the attackers gain access to a site, law enforcement officials say that they download customer databases, credit-card numbers and other proprietary information and then contact the victim company and notify it of the hack. The attackers then inform the company that the hackers can protect it from future attacks of this type if it buys the hackers' security services.
If the company refuses, the hackers' demands become more threatening, and officials believe that some of the credit-card data has been sold to organized-crime groups. Many of the vulnerabilities that the attackers are apparently using have been known for years, and Microsoft has issued patches for nearly all of them. The various holes, if not patched, could allow an attacker to execute shell commands on the IIS system, access and execute commands on a SQL server, or run system commands on a Web server.
The NPIC has also identified several file names associated with the hackers' activities. Go here for the full advisory and a list of the suspicious file names.
Thursday's advisory is actually an update of a warning that the center issued in December, listing many of the same vulnerabilities and imploring administrators to install the appropriate patches.
Security experts say that while the hackers are obviously organized and patient in launching their attacks, none of the thefts would have been possible had the affected sites simply installed the patches.
"It's mind-boggling that this still happens, but we run into it constantly," said David Thompson, senior manager of the security practice at PricewaterhouseCoopers, in Boston. "In the banking community, there's a significant number of small banks that have gotten themselves into these home banking programs but don't spend the money to make it secure. They install the software and then walk away from it. It's frightening, really."