WARNING: apparent security problem at ModelUp.com

[jackb602]

I've found the ModelUp site to be a great resource, but there appears to be a security problem. I just received the following email, less than 24 hours after making a purchase there. If this person has access to my order history and email address, I worry about the security of my credit card information. I have already contacted ModelUp, and I'll report back when I learn more.

 

Jack

 

 

From: B L

Date: February 12, 2008 9:48:46 PM CST

To:

Subject: Model Up Models

 

Hey, I have all of the Model up products in my library, and I will sale you any of the products that you see on Model up for half off price. I will convert to any format that you want. I also have all of the 2D images already cut out.

 

If you are interested contact me back, and let me know what you need. I will also through in one extra free model for each purchase.

 

 

Thanks,

Billy Simmons

[Jeff Mottle]

I'm sure Eddie will see this if he has not already, but I will email him right now to point him to this thread. I really hope this was just a coincidence, as I would hate to see this *#@& ruin this site for everyone.

[jackb602]

Thanks for looking in to this Jeff. I do really like their site, so I hope this isn't a serious problem.

 

Jack

[EddieLeon]

Jack,

Thanks for pointing out this problem. I hope it's an isolated incident, but I'm working diligently to find out what happened and correct it asap. I assure you that I will take full responsibility if any of your information was compromised.

Regards,

Eddie

[RyanSpaulding]

Wow. He's gonna offer an extra model for every one you purchase?

How nice of Billy.

[EddieLeon]

If this person has access to my order history and email address, I worry about the security of my credit card information. I have already contacted ModelUp, and I'll report back when I learn more.

 

The credit cards are 100% safe. They are all encrypted and on a separate server.

 

I'm not sure how "Billy" got your email, but it's cheap and easy for anyone to buy our entire library and try to resell it.

 

If anyone else got an email from "Billy the Kid" let me know so I can send a Posse out to get him.

[FilthyLucre]

Hello,

 

I too have recieved this email - Bought at the weekend. If I can help let

[EddieLeon]

Hello,

I too have recieved this email - Bought at the weekend. If I can help let me know - Glad to know card info is safe

 

Ok. Can you forward the email to me at eddie@spine3d.com? It seems "Billy" is somehow capturing emails. We are still trying to find out how this bandit is doing it. I apologize for this!

 

If anyone else has had issues please just send me an email so we don't tie up the CGArchitect forum for ModelUp issues.

 

Thanks!

[Ernest Burden III]

It seems "Billy" is somehow capturing emails. We are still trying to find out how this bandit is doing it. I apologize for this!

 

I'm sorry to see this happening, good luck plugging the hole. But if this jack-off actually does have the models (which I doubt) then its more than just grabbing emails. If the guy is trying to rip off MU, why stop there, he can get a payment and not have the models. Two crimes for the price of one. Three, really. If someone accepts his 'offer' and tries to buy MU content from the back of a truck on I-95, then they are knowingly stealing, as well.

 

Bastards.

[EddieLeon]

Thanks Ernest. We have checked all the logs and everything seems to be ok. We'll keep reviewing everything and make sure everything is plugged up well.

 

To be honest, I can't see why anyone would waste their time trying to steal something that's so cheap as it is and then try to sell it to someone who wouldn't be dumb enough to buy it from him anyway. I get the feeling someone is just trying to make us look bad.

[Mkay]

Why don't you try it? Throw him the bait and sit back to see if he taps into your server for those specific models. Is he reselling or doesn't have any models to show.

[RenderSpeed]

I see you are using php. It looks like you are on a shared plesk server? Could be another account on the box directly accessing your files / database in which case it would not show up in the logs. Do you have register globals off? Thats another big one, however that shows up in the logs. Im a system admin and programmer in a datacenter (http://hivelocity.net), if you send me a log file from the day in question, ill be more than happy to help you dig through it. I have much experience in these matters.

 

blake@hivelocity.net

[EddieLeon]

Blake, thanks for your help! The server is dedicated and all the other sites are mine. Although, it's possible that someone hacked in through one of them. I will have my webmaster send you the log file. Thanks!

[EddieLeon]

Why don't you try it? Throw him the bait and sit back to see if he taps into your server for those specific models. Is he reselling or doesn't have any models to show.

 

Good idea, but I already sent him a threatening email that I'm going to sue him as soon as I find out who he really is

[BrianKitts]

out of curiousity do you guys have a way to tell if a single user purchases every model that you have available? It's not like they can put a quarter in and take all the newspapers. If "billy" really does have them all, maybe he acquired them legaly..... and then lost his intelligence.

[EddieLeon]

out of curiousity do you guys have a way to tell if a single user purchases every model that you have available? It's not like they can put a quarter in and take all the newspapers. If "billy" really does have them all, maybe he acquired them legaly..... and then lost his intelligence.

 

Yes, we can track that. And there are a few users that actually bought all the models. None of them are called "Billy" and I can't exactly accuse them of anything. I'm not sure how I can prevent anyone from buying and then reselling everything. There is no way the revenues can justify paying all the legal fees. Now I know how the music industry feels:(

 

Thanks for your suggestion!

[jackb602]

Thanks for staying on top of this Eddie. I do hope you find the idiot. I have to say, if I were so hard up that I couldn't afford to pay full price for a $5 model, I'd say I was in the wrong business.

 

I haven't seen anything unusual on my credit card account, so I'm not too worried about that for the moment. Let me know if there's anything I can do to help.

 

Jack

[RenderSpeed]

Good idea, but I already sent him a threatening email that I'm going to sue him as soon as I find out who he really is

 

Get the email headers from the victums, there can be some valuable info in there :] If they are outside the US, good luck :[