A World Wide Web of Organized Crime An Eastern European ring may have lifted over a million credit-card numbers from the Net.

Until recently, cybercrime has largely been a sport for lone wolves or small groups with a taste for mischief and danger. Organized-crime groups largely left the Internet alone. Still, security experts worried that Net crime across borders would quickly proliferate. The reason: Low risk of apprehension and the potential for big rewards. Now it appears those worries are finally starting to come true. On Mar. 8, the National Infrastructure Protection Commission (NIPC) -- a federal watchdog that works with the FBI to protect the U.S. national infrastructure -- took the unusual step of holding a press conference to warn businesses and the public about an ongoing investigation into what may be the largest case of organized crime online to date. The NIPC alleges that in recent months, Eastern European hackers have infiltrated Web servers running versions of the Microsoft NT operating system, grabbing at least 1 million credit-card numbers and other personal information from 40 U.S. financial institutions and companies. After lifting this data, the gang has allegedly attempted to extort money from their victims by threatening to post the info on the Internet. Amazingly, to gain access, the intruders are using well-known security flaws that are easily fixed. There's plenty of blame to go around for this crime wave. Companies clearly fell down in enforcing basic security policies for their Internet operations. Some never fixed vulnerabilities. Software vendors also deserve blame for pushing flawed products out the door. This is hardly the first attempt at extortion using information stolen over the Internet. In August, 2000, media mogul Michael Bloomberg helped police apprehend two Kazakhs who had snagged his personal information from his company's computer networks. And in January, 2000, a still-at-large Russian hacker dubbed "Maxus" posted for public consumption 25,000 credit-card numbers stolen from online music retailer CD Universe, after the company refused to pay his six-figure extortion. Malicious hackers have long had easy access to automated tools designed to find flaws in Web servers and other software exposed to the public Internet. But the timing of the NIPC warning comes amidst a raft of bad Net-security news. The same week, hackers published a free program that makes it easy to compromise encrypted passwords on computers running older versions of e-commerce software from IBM, which expressed frustration that customers weren't applying readily available patches. And on Mar. 12, the Computer Security Institute (CSI) released its annual survey, which showed that 64% of the 538 companies and large institutions it polled acknowledged suffering financial losses due to computer breaches in the past year. The majority of those breaches came over the Internet. Of those entities, the 186 that were willing to tally their losses admitted that the hacking had cost them $378 million, up 42% and the highest number since the CSI started these surveys four years ago.