Lax IT managers have been blamed for a series of attacks on US ecommerce sites and online banks, thought to have been carried out by hackers connected to the Russian mafia.

The hacks, involving the theft of up to one million sets of credit card details, are thought to be have been going on for up to a year, taking advantage of known Windows NT security flaws.

"Virtually all of these attacks were carried out via known vulnerabilities, for which patches have been available for months or in some cases years," said Microsoft security program manager, Scott Culp.

The FBI's National Infrastructure Protection Center (NIPC) said yesterday that more than 40 US companies had been targeted in more than 20 states. It said investigations had shown that several Russian and Ukrainian hacker groups had been systematically penetrating online sites using known security flaws in Windows NT.

Alan Paller, director of research at the SANS Institute, said the hack was the largest criminal internet attack to date.

Security analyst Adrian Bishop at CenturyCom said IT managers needed to act quicker to counter organised hacking threats. Microsoft has been aware of security flaws in Windows NT since at least 1998, and is now on version 6A of its service pack which offers security patches.

Bishop said the scale of the Russian hack showed that many users were not updating their defences. Patches are available free at the main Microsoft site.

"Security has to be constantly upgraded," he said. "It needs to be a higher priority."

Bishop added that Russian hackers posed a major threat to US and UK ecommerce companies because of their technical sophistication and links to organised crime. "Any proceeds will end up in the hands of the Russian mafia," he said.

According to the NIPC, the hackers have been downloading credit card information from sites and following up with 'threatening' phone calls or emails offering their consultancy services to protect the victim's system. The NIPC said that companies that refused to pay the hackers had been subjected to further threats.

The NIPC said there was also evidence that hackers had sold some of the one million credit card details to criminal syndicates. It said that often the hacker activity had been going on at sites for several months before the victims became aware of it.