   _________SWAT MAGAZINE ISSUE TWENTY FIVE JANUARY 2000 __________
  /         \___________________________________________/          \
 /	       Credit Card Fraud on the Internet today              \
/               By Delight from H/\CK P/\YT, 8/1/2000                \
-----------------------------------------------------------------------






-Introduction-

OK, so technically speaking this isn't a document about hacking 
Vodafone PaYT, but since so few people seem to know of the info in 
this document I've decided to release it.

I'll be releasing a lot of Vodafone-hacking docs to SWAT soon.

Most of you have probably read the documents on Credit Card fraud on 
the internet.  After all, it's an interesting subject.  The problem is 
most of these documents are American, and even more are out of date.  
They talk about diving about in bins to get carbon-copies of 
credit-card reciepts and then arranging for the stolen goods to be 
delivered to a disused house or something.  Well, although the delivery
details are pretty much the same today, getting c/c numbers is not.  
When was the last time you went into a shop, paid with a credit card, 
and they reached under the counter for one of those lame manual swipe
machines?  The point is, most shops (if not all shops) use computerised
cashtills, and therefore swipe and process all c/c transactions
electronically.

(Incidently, one way of getting c/c nums is to pick up used reciepts 
in supermarkets and check them).

So, diving around in bins?  Fuck that.  And there are far cleaner ways
to get credit card numbers. By using the internet.

In the days of old (well, OK, about 6/7 years ago) it was OK to pass 
off a fake credit card number with a generator such as Credit Master 4.
Unfortunately that can't really be done now, you need a VALID number 
with a name and address.
 
Internet shopping has now become amazingly popular.  So popular in 
fact that even small businesses want to get in on the act.  Now a lot 
of small businesses can afford a domain name and, say, 20 megs of free 
space, but they're not going to fork out the money for a secure
server.  For a start, they probably won't get enough online 
transactions to warrant it.  So, an option that immediately presents
itself to companies is to use a website-design program that offers
online-ordering, albeit not completely secure.  This program happens to
be Microsoft Frontpage.  Now, Frontpage 2000 is quite secure and 
password protects any directory it can.  BUT earlier versions of
Frontpage are not.


-The Hole-

Basically, to cut out the crap, there's a major flaw in early (but 
still widely-used) versions of Frontpage.  It allows anyone, anywhere
to read the credit card numbers, names, and addresses of anyone who has
ordered from that website.  It all lies in a directory that is created 
automatically by Frontpage, called _private. (Yes, there's an 
underscore at the beginning).  On sites with on-line order forms, 
there is a file in the _private directory called order_results.txt. 
In this text file are listed the names, addresses, and credit card 
details of all the people who have ordered.  So, the full URL would be
http://www.smallcompany.co.uk/_private/order_results.txt.


-The Problem-

The problem is the latest version of Frontpage has patch which brings
up a login box when you try to access the _private directory.  In this
case the only thing you can do is to try going to the
URL http://www.smallcompany.co.uk/_vti_bin/_vti_adm/ and seeing if
there are any password files.


-Finding Sites with the hole-

Well, this is easier than you think.  Searching for "_private" in 
search engines won't bring up much.  A very easy but not-known way is 
to use FTP search engines.  Often websites will have a version of the 
site at http://ftp.smallcompany.co.uk.  The reason for this I
really don't know,
but it makes searching for websites with the hole a fuck of a lot 
easier. So go to a FTP search
site (such as http://ftpsearch.lycos.com) and see what searching for
"_private") brings up!  Don't go for links with lots of sub-directories
before the _private, it's normally some uni student's work
or something.

-Other things to search for with FTP-

Um, try passwd and .htpasswd.

-Greetz-

Greetz to all at SWAT, keep up the good work.  Also greetz to Manny,
Energiser, Accelerator, MD and BJ.


Don't spend it all at once.

Delight

hack-payt@excite.com
http://hackpayt.webjump.com