From Spam Daily News
Customers of the online payment service iBill have had their names,
phone numbers, addresses and e-mail addresses released onto the
Internet, where it's been bought and sold in a black market made up of
fraudsters and spammers.
Other fields in the compromised files appear to be IP addresses,
logins and passwords, credit-card types and purchase amounts, but
credit-card numbers are not included.
The transactions are dated between 1998 and 2003.
Two caches of stolen iBill customer data were discovered separately by
two security companies.
Secure Science found the first data file containing records on 18
million individuals on a private website set up by scammers. The site
was part of a so-called "phishing" scheme. Secure Science found that
data in February 2005, and reported it to the FBI's Miami field
Last month, Sunbelt Software found an additional list of slightly over
1 million individual entries on a spamming website. Sunbelt found the
file by tracing zombie computers as they connected to the Internet to
refresh their list of spam targets.
The files appear to have been generated by exporting an SQL database
into a CSV format -- a procedure that would be unusually extravagant for
a quick, furtive hack attack. Moreover, at 4.5 gigabytes in size, the
larger file would have been tough to download unnoticed over iBill's
The breach has all the markings of an inside job, say Lance James of
Secure Science and Adam Thomas of Sunbelt Software.
Thomas speculates that an employee or other insider may have simply
walked out of iBill with the transaction records to sell on the data
"The fact that a total of 17,781,462 iBill records have been found in
the hands of criminal hackers is quite disturbing, be it an inside job
or the successful work of criminal hackers," says Thomas.
Because the information didn't include Social Security, credit-card or
driver's-license numbers, no U.S. laws require iBill or the companies
for which they provided billing to warn victims.
An FBI spokeswoman says the bureau wouldn't investigate the breach
unless the source of the leak comes forward to make a complaint.
The stolen data has been on sale since 2003 on a number of boards.
Founded in 1997 by executives of a Florida-based BBS software
developer, by 2002 iBill was a big player in Internet billing,
processing approximately $400 million in credit card transactions per
year, according to SEC filings. The company took 15% off the top in
fees. Todd Dugas, a former inside sales representative for iBill,
estimates that pornography made up 85% of the business.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. And, discuss this and other topics in our forum at
For more news and headlines, please go to: