17 year old fingered as author of malware used in Target attack

American Thinker ^

[Sub-Driver]

January 18, 2014 17 year old fingered as author of malware used in Target attack Rick Moran

A 17 year old Russian hacker who goes by the online handle of "ree4" has been identified as the author of the malware that was used to attack Target and Neiman Marcus.

The teenager, Sergey Taraspov, is well known in cyber crime circles having developed other malicious codes to hack commercial systems. He apparently sold about 40 copies of his program to criminals who then modified it slightly and used it to sweep up at least 80 million debit and credit card numbers from Target alone.

Now, the firm that first revealed the Target attack, is saying that 6 other companies suffered a similar fate.

PC World:

Clements said IntelCrawler is "90 percent" sure of its finding, based on the forum postings and sources it communicated with.

The forum posts indicate the teenager sold the malware for $2000 or for a share of the profits that came from monetizing stolen payment card details, Clements said.

BlackPOS was also sold to "carding" websites such as .rescator, Track2.name and Privateservices.biz that trade in stolen card details, according to IntelCrawler.

BlackPOS was originally called Kaptoxa, which is Russian slang for potato. Clements said the Russian teenager eventually renamed the malware BlackPOS during a fresh marketing push.

Dallas-based security company iSight Partners wrote in a report earlier this week on the Target hack, which it called the "Kaptoxa operation." It says the hackers used a high level of skill to gain stealthy access to the retailer's network.

International Business Times is reporting that the 6 other companies targeted in the hack have not informed their customers yet:

[Cyber Liberty]

I wouldn’t hire him. He’s proven he’s not trustworthy, so I couldn’t rely on him not to write a backdoor. He could be useful as a tester.

[hoagy62]

Looks like he has a big future with some software outfit designing protection software to keep hackers and malware attacks out.

Either that, or he'll end up as a low-on-the-totem-pole drone , working for the Russian mafia.

[cynwoody]

Someone could forge a charge with just the card number.

Offline, you need more than just the number to forge a card. The mag stripe data includes a CVV (card verification vector) field, which is a secret function of the card number and expiration date. Thus, you need the actual mag stripe image to make a card.

Once you've got a card with the proper mag stripe data, you can swipe with impunity at a lot of retail stores. However, some stores will ask to see the card, and the clerk will type in the last four of the account number. If it doesn't match the mag stripe, it's game over. Of course, you can emboss the card as well as re-encode the mag stripe, but that's a lot more trouble — mag stripe encoders cost about $300, but equipment to make a forgery that will pass a visual inspection is much more expensive.

Also, gas pumps around here have got into the habit of asking for your billing zip before authorizing.

For online transactions, there are other speed bumps. Namely, the billing address, which is not in the mag stripe data, and the CVV2, which is printed on the card but also not found in the mag stripe data.

In my case, there is a third speed bump. If my wallet is stolen, you still can't use my card online. That's because the billing address is a PO box which is nowhere to be found in my wallet.

[HiTech RedNeck]

Online would be the place where “some” merchants do not require CVV2. (I remember reading about a political donation site that did not.) But I think they still do require address, so that may be safeguard enough.

[PieterCasparzen]

OK, let’s get serious. Why do private hackers seem to have more of a clue than our spies and our crime investigators and crime prevention counselors. Maybe because the reward structure is more straight forward, if unethical.

Hackers like this make thousands of dollars from their work.

The technology security industry, selling to government, private sector companies and to the retail market, is a multi-billion dollar industry.

[PieterCasparzen]

OK, let’s get serious. Why do private hackers seem to have more of a clue than our spies and our crime investigators and crime prevention counselors. Maybe because the reward structure is more straight forward, if unethical.

Of course, the multi-billion dollar security industry needs some hackers out there in order to create a need for their products and services.

[cynwoody]

I'm willing to bet that some research will turn up he's either from, or has family in the Chechen region and ties to a muslim radical group.

Anyone want to take that bet?

Nope. The odds are long against that. He's from St. Petersburg, which is in the north of Russia proper, nowhere near Chechnya. Rooskies seem to have a natural aptitude for hacking, needing no input from Islam.

[Solson]

That’s what i’m telling you....they don’t know which cards and which identities...

[usconservative]

Thanks for posting that update.

[HiTech RedNeck]

I don’t take any “of courses” as gospels.

[cynwoody]

Someone like Kaspersky should hire him

If Kaspersky is hiring, there is an unemployed American security infrastructure specialist with a much stronger resume currently residing in Moscow. Kaspersky should hurry, before he decamps for Brazil.

[cynwoody]

Well, Target knew which ones. So the banks know now.

Target's not supposed to be storing the full account numbers. They're only allowed to retain the first six and the last four. That, and they also have the authorization codes and the exact date and time.

So, Target doesn't have the full list (except for their own store card, the REDcard™). However, the banks could conjure up the list by passing their databases and flagging charges made by Target customers in the affected time period.

[RitchieAprile]

why are you blaming Bill Gates? He has been gone from MS for years.