http://www.internetnews.com/wd-news/article/0,,10_751441,00.html
By Brian McWilliams
April 24, 2001
Raphael Gray, the Welsh computer attacker who is awaiting sentencing
for a string of online shopping site break-ins, counts Bill Gates
among his victims. But an investigation by InternetNews has revealed
that Microsoft's chairman is not the only high-profile name among the
thousands of credit card records Gray stole during a hacking spree
last year.
Former US President William "Bill" J. Clinton and political
commentator and reformed party candidate Patrick "Pat" J. Buchanan
were also among the names of victims listed in a customer database
Gray lifted from Salesgate.com, a Buffalo, NY-based ecommerce
provider.
But then again, so too were "Test Test" and "Beavis Butt" among the
6,000 Salesgate customer records Gray reposted at his own web site and
sent to InternetNews on February 18, 2000.
"Those were tests ... when we first tested the order process, we chose
names that would obviously not be the real people so that we would
know they were tests. And so Bill Clinton was one of the names we
chose," said Chris Keller, the manager of Salesgate.com, which went
out of business in April 2000, one month after Gray was arrested by
Welsh police and the FBI at his home in Clynderwen, Wales.
Similarly, Tim Ward, the operator of another site Gray hit, said that
bogus names sometimes turn up in the customer order records of online
merchants.
"From time to time we have had jokes where somebody puts in a funny
name like Ben Dover, or something like that. It happens, but we just
ignore it," said Ward, the owner of Feelgoodfalls.com, an online
pharmacy Gray pilfered on February 21, 2000.
These admissions raise new doubts about the accuracy of recent reports
by several media outlets, including the London Times, The Sun, and
Wired News, that Gray had not only obtained Gates' credit card number
from one of his victim sites but also had ordered "a course of Viagra
to be sent to the tycoon," as the Times put it.
Gray has not revealed the name of the site from which he obtained the
Microsoft leader's card number. Spokesperson Jim Desler told
InternetNews Tuesday that the reports about Gates' credit card and
Viagra were "bogus."
"We have absolutely no knowledge of any incident and have not been
contacted by any law enforcement about this matter. We checked that
number and it's just not a number that Gates has. The number just
doesn't check out," said Desler.
But Rob Rosenberger, operator of the VirusMyths.com site, says many
people will be more inclined to trust the claims of hackers than the
denials of public relations officials.
"But I'm telling you, I'll believe the PR guy because hackers
reflexively lie. Stories like this get legs because we can see
plausibility, but this is how Internet legends get started," said
Rosenberger, who notes that programmers often use the names of famous
people or characters from movies or literature as dummy data when they
are testing software.
A visit to a mirror of the site where Gray made his original boast
reveals that the credit card number he claimed was Gates' is missing
digits and does not follow any algorithm used by credit card
companies. The source of the Viagra story appears to have come from an
offhand comment Gray made at another site, a copy of which is archived
here.
Gray's boasts about Gate's credit card were first reported as fact
last March by the UK's Telegraph, a story that was later picked up by
Reuters, which provides news feeds to media outlets around the world,
such as ZDnet.
Gray was to be sentenced on six counts of unauthorized computer access
last Friday, but the judge postponed sentencing pending medical tests,
which are expected to take several weeks. Gray is free on bail in the
meantime. Under Britain's Computer Misuse Act of 1990, he faces up to
one year in prison for the intrusions, which the FBI estimated caused
damages of $3 million.
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
Received on Wed Apr 25 03:15 CDT 2001