Extortion on the Internet

By Jeffrey Kluger

For web merchants and shoppers alike, there may be no greater fear than that of credit-card theft. And there is good reason. The idea that millions of credit-card numbers are being beamed to thousands of websites every day must be an irresistible lure to any hacker with a larcenous bent. Last week e-tailers were sweating over reports of an international cybertheft that for pure nerve, craft and brass rivals any ever tried before. If the FBI doesn't crack the case soon, skittish consumers, who had just started growing comfortable with the idea of Web shopping, could grow uncomfortable in a hurry.

The target of the virtual stickup was a website known as CD Universe, which sells music and DVD movies online. Doing business on the Net since 1996, CD Universe had served more than 300,000 customers--which translates to roughly 300,000 credit-card numbers salted away in its electronic files. Last month the site's parent company, eUniverse, based in Wallingford, Conn., was contacted by someone identifying himself as "Maxus," a 19-year-old Russian who claimed to have hacked into those files and filched those numbers. The FBI has since asked the company not to reveal whether that communication came by fax or e-mail, but the message was the same. "I found a security hole," the extortionist wrote. "Pay me $100,000...or I'll sell your cards."

Calling his bluff, eUniverse declined to pay and instead contacted the FBI. Maxus, it turned out, wasn't kidding: on Christmas Day, the so-called Maxus Credit Cards Datapipe went into service, offering Web surfers thousands of free, pilfered card numbers at the click of a mouse. It was only last week that a Web-security company alerted eUniverse to the existence of the site, which was quickly shut down. By then, though, 25,000 credit-card numbers had been given away. "Of the card numbers the FBI pulled off the site," says eUniverse vice president Brett Brewer, "a majority were ones that had been used at CD Universe."

No one knows for sure where Maxus is--and that's no accident. Around the time his site was disabled, he began exchanging cat-and-mouse e-mail with reporters from the New York Times and other newspapers, and his messages appear to originate in Paris. The FBI and various Web experts have been following other electronic bread crumbs he left behind, however, and those point more strongly to Russia or Eastern Europe. An independent Net-sleuth group even claims to have located Latvian and Russian accounts Maxus uses for cash drops. "It's likely that he's in Europe, unless he's really good," says John Markoff, the Times reporter to whom Maxus sent his e-mail. "And if he's that skilled, no one's going to catch him."

That may be bad news for eUniverse--and for e-commerce. Representatives of the company have e-mailed customers to alert them to the theft and retained a security firm to prevent their software locks from being picked again. Consumer liability is limited to $50 in most such cases, but e-tailers have no protection from the loss of business that occurs when cards get stolen.

Even as the Web was twanging with news of the Maxus scam, Attorney General Janet Reno proposed a crime-fighting network designed to combat just such cybercriminality. The move may protect the next e-tailer victimized by Net extortion, but it has come too late to help this one.

--By Jeffrey Kluger