At the request of the FBI, Brighton (Mich.) District Library Director Nancy Johnson is spreading a cautionary word to library colleagues about a series of illegal attempts to hack credit card accounts by testing them on her library’s online-donation website. Here’s the scam, according to Johnson:
Someone has been using our library online donation option as a vehicle to hack into credit card accounts.
While we found the first clues over the Fourth of July weekend, our network administrator, Melanie Bell, determined from the transaction logs maintained by our authorize.net validation partner that the attacks started in March.
Johnson explained to American Libraries that the offender tries to hack into individuals’ credit card accounts by trying to make a small online donation to the library masquerading as a person whose name the hacker has harvested elsewhere. A scam often attempted at hotel websites, the perpetrator masquerades as an potential donor and, in essence, runs an algorithm that tests different credit card number combinations against that same name in hopes of hitting a valid account number. If successful, the hacker may go off elsewhere to “cash in” until the fraud is discovered and the account is shut down.
At the library, the hacker tried a variation of this scam, Johnson informed colleagues on the Michlib-l discussion list. “There is an anonymous donor option on our online form; all of the ‘successfuls’ were marked anonymous.” She went on to say:
While many of the attempts are being denied, some have come through. We have identified seven “successful” $10 donations. We have gotten telephone inquiries from three other individuals about a bill from our library although we don’t have them on the “successful” list. All seven are located outside our service district; most are outside Michigan.
Among the seven are two successful transactions by the same “person,” five minutes apart. The name, street address, zip code, and the phone number were the same—but the city was different.
Although there was no damage to Brighton District Library’s website or online-donation function, or victimization of any of its patrons, the library has incurred a financial loss because of the hacks: It is charged for each attempted transaction, of which there have been as many as 35 attempts a day since March. The phishing seems to originate from an IP vendor in Pakistan and possibly several IP addresses in Australia.
We have responded by placing filters on our authorize.net profile. There has been a significant change but it does appear as if the attempts are still being made. We are now blocking attempts when over three attempts come from the same IP address in one hour. We are also blocking all Asian and Australian IP addresses.
Brighton will continue to work with the FBI to solve this problem. Not fun, but it has been a pleasure to work with the FBI on this.
Libraries concerned that their online-donation pages may have been similarly abused are encouraged to contact FBI Special Agent Sean Nicol at snicol[at]fbi.gov or 734-995-1310.
