A Network of Knockoff Apparel Stores Exposed 330,000 Customer Credit Cards (techcrunch.com) 22
An anonymous reader quotes a report from TechCrunch: If you recently made a purchase from an overseas online store selling knockoff clothes and goods, there's a chance your credit card number and personal information were exposed. Since January 6, a database containing hundreds of thousands of unencrypted credit card numbers and corresponding cardholders' information was spilling onto the open web. At the time it was pulled offline on Tuesday, the database had about 330,000 credit card numbers, cardholder names, and full billing addresses -- and rising in real-time as customers placed new orders. The data contained all the information that a criminal would need to make fraudulent transactions and purchases using a cardholder's information.
The credit card numbers belong to customers who made purchases through a network of near-identical online stores claiming to sell designer goods and apparel. But the stores had the same security problem in common: Any time a customer made a purchase, their credit card data and billing information was saved in a database, which was left exposed to the internet without a password. Anyone who knew the IP address of the database could access reams of unencrypted financial data. Anurag Sen, a good-faith security researcher, found the exposed credit card records and asked TechCrunch for help in reporting it to its owner. Sen has a respectable track record of scanning the internet looking for exposed servers and inadvertently published data, and reporting it to companies to get their systems secured.
But in this case, Sen wasn't the first person to discover the spilling data. According to a ransom note left behind on the exposed database, someone else had found the spilling data and, instead of trying to identify the owner and responsibly reporting the spill, the unnamed person instead claimed to have taken a copy of the entire database's contents of credit card data and would return it in exchange for a small sum of cryptocurrency. A review of the data by TechCrunch shows most of the credit card numbers are owned by cardholders in the United States. [...] Internet records showed that the database was operated by a customer of Tencent, whose cloud services were used to host the database. TechCrunch contacted Tencent about its customer's database leaking credit card information, and the company responded quickly. The customer's database went offline a short time later. Many of the stores leaking customers' information claim to operate out of Hong Kong and were set up in the past few weeks. Some of the websites include: spraygroundusa.com, ihuahebuy.com, igoodlinks.com, ibuysbuy.com, lichengshop.com, hzoushop.com, goldlyshop.com, haohangshop.com, twinklebubble.store, and spendidbuy.com.
The credit card numbers belong to customers who made purchases through a network of near-identical online stores claiming to sell designer goods and apparel. But the stores had the same security problem in common: Any time a customer made a purchase, their credit card data and billing information was saved in a database, which was left exposed to the internet without a password. Anyone who knew the IP address of the database could access reams of unencrypted financial data. Anurag Sen, a good-faith security researcher, found the exposed credit card records and asked TechCrunch for help in reporting it to its owner. Sen has a respectable track record of scanning the internet looking for exposed servers and inadvertently published data, and reporting it to companies to get their systems secured.
But in this case, Sen wasn't the first person to discover the spilling data. According to a ransom note left behind on the exposed database, someone else had found the spilling data and, instead of trying to identify the owner and responsibly reporting the spill, the unnamed person instead claimed to have taken a copy of the entire database's contents of credit card data and would return it in exchange for a small sum of cryptocurrency. A review of the data by TechCrunch shows most of the credit card numbers are owned by cardholders in the United States. [...] Internet records showed that the database was operated by a customer of Tencent, whose cloud services were used to host the database. TechCrunch contacted Tencent about its customer's database leaking credit card information, and the company responded quickly. The customer's database went offline a short time later. Many of the stores leaking customers' information claim to operate out of Hong Kong and were set up in the past few weeks. Some of the websites include: spraygroundusa.com, ihuahebuy.com, igoodlinks.com, ibuysbuy.com, lichengshop.com, hzoushop.com, goldlyshop.com, haohangshop.com, twinklebubble.store, and spendidbuy.com.
Re:That's the you-get-what-you-pay-with department (Score:5, Funny)
Well, Amazon didn't want to accept the cash I faxed.
Re: (Score:2)
Well, Amazon didn't want to accept the cash I faxed.
Yes. There is no place to insert money in my cable modem.
Re: That's the you-get-what-you-pay-with departmen (Score:1)
Re: (Score:2)
Well, Amazon didn't want to accept the cash I faxed.
Yes. There is no place to insert money in my cable modem.
And then you have to allow that creepy cable person into your home-apartment every month to collect the proceeds. Yuck!
Re: (Score:2)
Credit card numbers will leak. If you pay cash, there's no credit card numbers to leak.
And yet, you pay with plastic.
Generally, I just don't buy from anyplace that is offering a too-good-to-be-true deal. I presume it's a scam, and choose not to get taken.
But if you are going to buy, using a credit card (in the USA) gives you protection.
If something goes wrong, you don't get what you ordered, or you get charged other than the agreed upon amount -you can easily report it to the credit card company. They will take care of the rest. You are not required to pay. You get a new card with a new number. Life goes on uninterru
So what? (Score:1)
I hand my credit card to strangers at restaurants, gas stations and all sorts of others online and in person all the time. It's how credit cards work.
Absolutely nothing stops a waiter from writing down my name, number and "security" code when they take my card out of my LoS for 5 minutes to pay my meal. That's all they need to run up charges.
And if someone does then I dispute (assuming cc company doesn't fraud detect it first) and get a new card.
Stupid of company to expose on the net but shrug.
Far worse w
Re: (Score:2)
I hand my credit card to strangers at restaurants, gas stations and all sorts of others online and in person all the time. It's how credit cards work.
USA's inertia? Took a long time for cards over here to get a chip. I still have one card with chip but no PIN. And now I can just wave a card, even the ones with PINs, over wireless terminals.
Over in Europe, not sure about the rest of non-USA world, you don't hand the card to anyone, attendants bring a portable device, and you insert the card and enter the PIN. Not sure how the wireless terminals work in this case, probably still require a PIN, Not necessarily fool-proof, but eliminates the "hand out" p
Re: (Score:1)
We've had chips for many years.
I put my card on the table. Staff walks away with it. Returns with piece of paper to sign and add tip.
We also have portable machines. And wave. And the rest. When you put your card in that portable box how do you know it isn't recording your pin and other information to be used nefariously later?
And still, so what?
Re: So what? (Score:1)
Re: (Score:2)
That's changing rapidly over here in the US, things like portable terminals in restaurants are noticeably more common in the past year or two. But US consumers were massive credit card users well before any such technical protection measures existed. That was made possible by an industry decision to eat the cost of almost all credit card fraud. Despite the cost, this was a massively successful and profitable practice.
Europeans, as relatively later adopters, benefit from more secure practices. In the US,
These domains.. (Score:2)
..look totally legit!! /s
Makes one wonder, who does business with such illicit domains? Ew.
That said, I refuse to spend a cent on Amazon, too. Buying from smaller businesses probably sets me back more than at Amazon, but at least people earn honest wages. While there is not much of stores around my area, there is still plenty of independent and more reputable online businesses I order stuff from. But I guess that none of all that is what people ordering counterfeit are after.
Re: (Score:3)
..look totally legit!! /s
Makes one wonder, who does business with such illicit domains? Ew.
But it's 100% legit Louis Mutton for 1/10 the price.
People are dumb. I'm surprised it was only 330,000 numbers compromised.
As Anton Zandor LeVey said, "it's too bad stupidity isn't painful". For those who were scammed (it was a scam, a fucking obvious one, but one none the less) they'll suffer nothing worse than the minor inconvenience of having a new credit card sent out to them. Meanwhile legit merchants continue to see their merchant fees increase and a large part of that is paying for fraud (and
Lots of girls do (Score:2)
Re: (Score:2)
the clothing is often completely indistinguishable from the real thing. If you want nice things but can't afford to be price gouged it makes sense. Especially if you're kinda broke and need to buy work cloths. People judge you on your appearance and the job market is still crap for professionals with just a bachelor's degree (it's still crap for everyone else too, thanks to a complete lack of bargaining power, but that's another matter entirely).
I can tell you from experience, it absolutely can be the case. I've a knock off Breitling I bought in Colombia for US$60 which has fooled everyone yet. I'm sure it wouldn't stand up to proper scrutiny, but the casual observer who knows a bit about watches hasn't been able to tell the difference. That's not the issue here though, I bought my knock off watch for a bit of fun (it does get comments from the watch aficionados) but I paid cash for that in a market in Medellin and knew it was a complete fake from
Re: (Score:3)
As Anton Zandor LeVey said, "it's too bad stupidity isn't painful".
Stupidity is quite often painful. The problem is that usually, enough time passes between the act of stupidity and the onset of pain that the stupid person doesn't make the connection.
Re: (Score:2)
Surely you aren't talking about ibuysbuy.com.... That's the most American sounding web site I have ever seen!
Introducing the new hacker hat: Dunce (Score:1)