A mysterious computer intruder has tried to extort $100,000 (€99,000) from an Internet music retailer after claiming to have copied its collection of more than 300,000 customer credit-card files, which could be used by others to charge purchases online or by telephone.
Because the company, CD Universe, has refused to pay blackmail, the anonymous intruder has released some of the credit-card files on the Internet. He also claims to have used some other credit-card numbers to obtain money for himself.
The electronic shakedown attempt is likely to rekindle consumer concerns about the security of using credit cards for online purchases. And because the e-mail trail indicates the extortionist is somewhere in Eastern Europe - perhaps Latvia, Bulgaria or Russia - the case also demonstrates how the Internet can enable electronic outlaws to operate beyond the jurisdiction of US law enforcement officials.
"The Internet creates a whole new class of criminals," said Mr Elias Levy, chief technology officer of SecurityFocus.com, a computer security firm. Last Friday, Mr Levy's company began alerting journalists to the existence of a website that the blackmailer had been using for two weeks to distribute perhaps 25,000 of the stolen card numbers to thousands of other people. That site was shut down earlier this week.
"On the Internet you can have criminals coming from countries where we have no extradition treaties," Mr Levy said. CD Universe is an online music store operated by eUniverse Inc. An eUniverse executive said the firm had been co-operating with the FBI in an effort to catch the extortionist.
"He definitely has CD Universe data," Mr Brad D. Greenspan, chairman of eUniverse, said. "Whether he hacked the site or got the data in some other way, I'm not sure exactly."
Mr Greenspan said the company had begun sending e-mail notices to its customers, alerting them to the theft, and was working with credit-card companies on a plan to help customers whose card numbers might have been stolen.
A person who identified himself as the blackmailer and called himself Maxim - "I am 19 and I am from Russia" - said in an email exchange with a reporter that he had found and exploited a security flaw in the software that is used to protect financial information on the CDUniverse.com website.
The extortionist said he had sent a fax to CD Universe last month offering to destroy his cache of stolen credit card files if he were paid $100,000. After the company did not respond to his demands, he said, he began placing the credit card files on a website on Christmas Day.
The site was called Maxus Credit Card Pipeline. There, with a single mouse click, a visitor could obtain a credit card number, name and address that the site claimed was obtained `directly from the biggest online shop database".
EUniverse, which besides Wallingford has offices in Chicago and San Francisco, operates a variety of Internet commercial services that include CD audio sales, DVD movie sales and online computer games. But with an estimated 300,000 customers, its CD Universe site is small, compared with the leader in online music, CDNow, whose site has four million visitors a month.
The person identifying himself as Maxim e-mailed the reporter a list of 198 credit cards as proof of what he said was his successful theft of a much larger credit-card database. A reporter's calls to several of the people whose credit-card information was on this e-mail list - or was available on the Maxus site - indicated that at least those credit-card numbers were real.
One of those individuals, a woman in Los Altos, California, who requested anonymity, confirmed she had been a CD Universe customer, though not recently. When told that her credit-card data had been stolen, she said she would notify the authorities.
In a subsequent conversation, she said: "I called the San Francisco office of the FBI and they told me that I should make certain that I had torn up the carbon copies of my credit-card receipt. I had to explain to the agent that I had used my card over the Internet."
The Maxus site was shut down after a group of computer security experts who had learned of the website alerted Lightrealm, an Internet carrier based in Washington. The blackmailer had been using Lightrealm's system to operate his site, apparently without the company's knowledge.
Before the Maxus site was shut down, a traffic counter on the site indicated that several thousand visitors had downloaded more than 25,000 credit-card numbers from the system since Christmas Day.
In one of his e-mail messages, Maxis said that he had been involved in the illegal use of credit cards since 1997. Originally, he wrote, he had tried to create a legal online company that would take payments with a credit-card processing system.
But then, he said, he found he could subvert ICVerify, a credit-card verification software program. The program is sold by Cybercash, an electronic commerce security company whose software is widely used by e-commerce merchants.
"In 1998," he wrote, `I hacked in to a chain of shops and got ICVerify (Cybercash) program with necessary configuration files for transferring money."
He said that with the ICVerify program he had been able to make a charge on a credit card and then give a charge-back refund to a second credit card, a system he said gave him an "almost anonymous" offshore credit-card account.
CD Universe employs ICVerify on its site, but Mr Greenspan said that the company was not ready to conclude the blackmailer had manipulated that software to obtain the customer information.
Cybercash said that it was investigating the claims. Its chairman, Mr Daniel Lynch, said that about a year ago the company had found a security flaw in ICVerify, but had created a software "patch" for it and notified its clients.
Maxim, in one of his e-mail messages earlier this week said that it was more typical for him to sell stolen credit cards on the anonymous Internet "chat" system known as Internet Relay Chat or on a special electronic underground in which stolen credit-card numbers were exchanged.
But he said that in the case of CD Universe he had faxed a message that stated, "pay me $100,000 and I'll fix your bugs and forget about your shop forever. . . or I'll sell your cards and tell about this incident in news."