Slashdot Mirror
Analyst Calls Russian Teen Author of Target Malware
Nerval's Lobster writes "A digital-activity data analytics firm called IntelCrawler, Inc. claims to have identified the author of the BlackPOS malware used in attacks against Target and Neiman Marcus, and spotted similar attacks that are still in progress against six other retailers. Andrey Komarov, CEO of the Los Angeles-based IntelCrawler, told Reuters Jan. 17 that his company had spotted the six ongoing attacks while analyzing Web traffic in search of the specific entry points and origin of the malware infection behind the Target data breach, which allowed hackers to steak magnetic card-strip data on 40 million debit- and credit cards and demographic data on 70 million additional customers. According to Komarov, BlackPOS was developed by a 17-year-old Russian who goes by the username Ree4 and lives in St. Petersburg. Ree4 probably did not participate in the attack on Target, but did sell the malware to the actual attackers, according to Komarov, who refused to identify the source of his information other than to say he had been monitoring forums on which he said Ree4 sells malware. In a series of chat clips Komarov said are exchanges between buyer and seller, Ree4 tells a potential customer that the price for the software is US$2,000 and that the malware grabs credit-card numbers from system memory as they're scanned, dumps them into a file called time.txt that is sent back to the controller. Ree4 also said the app works only on standalone point-of-sale terminals with a separate monitor that also runs Windows, but not on Verifone systems, which can be attached to PCs but secure credit-card data before it can be scraped by BlackPOS."
That would clean up most of NSA staff
But who are the other three?
You are being MICROattacked, from various angles, in a SOFT manner.
Russia needs to enact better laws so that criminals engaging in black hat hacking suffer far more prison time. Really. You can go to prison in Russia for "hooliganism", whatever the hell that is, but write some code that steals millions of dollars from customers and nothing happens to you. Should be some kind of CyberCrime provision at the UN that would engender more cooperation from Russia,and if there's not, someone should create one.
Its almost as if Russia possesses codified antipathy for capitalism, since these hackers only hurt corporations and their customers. Else, they just don't care. How else can anyone explain why the most harmful civilian cybercriminals hail from east of the Urals?
Seems like an easy call from my chair but I am not, possibly, disenfranchised, poor, abused, indifferent, whatever. For many the return on investment (hey Wall Street) is too good to pass on. Just sayin...
I love teenagers. Only they would ask $2,000 to sell software that, if he got caught, would net him decades in prison. He may be a good programmer, but he's an idiot businessman -- risk versus reward.
#fuckbeta #iamslashdot #dicemustdie
Including authors of insecure software for purchase
Mr. teacher, the Russians stole my homework! Or maybe the Chinese!
Ah, Ok, Timmy, you're excused.
Russian prison and then what? unlike to be able to work in the usa
Windows "security" has been well know to be a joke since the very beginning. Why would any sane person run it on POS systems or other important infrastructure, and then proceed to tie those systems to the open internet? Unix would only have been a little better, if it was used in the same way.
That seems ....... insane. Sure, the hackers are responsible for hacking in, but if you leave the door of your house wide open with a sign in the front yard saying, "I have an expensive TV!", maybe you also bear some responsibility if someone walks in and steals your expensive TV set?
Will there be ANY accountability here by the people who made those decisions?
IntelCrawler uncovers six active attacks on U.S. merchants and traced the Target attacks back to a specific person in Russia. How come IntelCrawler can figure it out? Is the NSA asleep at the wheel?
How did they get the malware deployed onto thousands of POS terminals without anyone noticing?
After the malware collected the data, how did the POS terminals report the stolen data back to the controller?
Are these POS terminals just directly connected to the internet?
Steak magnetic card strips....mmm
How much did Verifone pay for this sparkling review?!?
" which allowed hackers to steak magnetic card-strip data on 40 million debit- and credit cards"
Of course steak is very much a luxury food in Russia
Why to use Windows?
Why to have network connection to outside?
Anyone here know whata the going rates are for exploits like this? Forzero-day exploits? For newly-discovered exploitable bugs?
I'm writing a story and it could help to get the facts right.
-- hendrik
spotted similar attacks that are still in progress against six other retailers. Andrey Komarov, CEO of the Los Angeles-based IntelCrawler, told Reuters Jan. 17 that his company had spotted the six ongoing attacks while analyzing Web traffic in search of the specific entry points and origin of the malware infection behind the Target data breach
I call bullshit! He claims to have spotted ongoing attacks on six other retails which he conveniently fails to name.
Name names or STFU!
Analyst Calls Russian Teen Author of Target Malware
"Calls" as in calls him on the phone? Or "calls" in the more casual sense of "identifies"? Because there's a word for that - "identifies."
systemd is Roko's Basilisk.
IntelCrawler was registered late last year, and its address is a mailbox in a UPS store.
Has anyone heard of Andrey Komarov before this? Does he have any kind of track record? Or is he just another fame whore with a dubious story?
The real "Libtards" are the Libertarians!
I can't wait for the day you forget to click the check-mark by "Post Anonymously" before submitting your comment.
http://en.wikipedia.org/wiki/Yakov_Smirnoff
At $2000 every anti-virus company and investigator, etc will be buying. He probably makes more money selling to government agents and anyone that wants to check out the code than thru selling to a few cyber criminals.
It's NOT phone data so why does the NSA care.
How in the world does a 17 year old get intimate detailed knowledge of the internal workings of POS systems??
Was I the only child who grew up in a home devoid of POS terminals to tinker with or something?
NOW you're talkin' to me, BABY!!
Identifies is more certain, "calls" is speculative. i can call you autistic but only because i have identified you as a pedant.
So now we know: Russia is responsible for crap that MS passes as "secure software". Bomb the Evil Empire (you select which one).
If he was a little bit older the news wouldn't be reporting the age. The age is just creating a bias where there doesn't need to be one. It's just playing on a certain group of peoples fears that all young people are out to get them. It probably stems from guilt about how they find certain people achieving more in life than they did, and at first you could handle that because they were older. But then as they got older the achievers became younger and they never learnt how to cope with that.
In Soviet Russia, teen author calls you ANALYST!
Well, you'd be wrong, about the autistic part at least, with that sweeping piece of false equivalence. Still, call me that if you wish - it's an adjective and as such is not ambiguous the way this headline is.
Analyst calls Russian teen "author of Target malware"
Analyst calls "Russian teen author of Target malware"
Two different meanings from the same words. Sorry if you don't feel this is important in a news headline, but I'm not sure why it annoys you so much that I do feel it's important that you had to be a dick about it.
systemd is Roko's Basilisk.
Sorry, unlike you I'm actually capable of understanding what is implied in human speech based on context. I'm sorry that your that your aspergers prevents you from this. Maybe one day there will be a cure and you will no longer have to live with a defective brain.
Any surprise that "Reefer" is both a drug addict and a credit-card stealing criminal? Fucking worthless potheads.
Just before the dreaded Y2K doomsday event everyone, everywhere (well lots anyway) I was subcontracted to upgrade all the motherboards in area Target stores.
The motherboards were very simple, very basic units with pretty much everything integrated IE video, ethernet, etc.. They are diskless. Nothing plugged into the slots.
The cases were small, low profile and of course there is one at every register and several at the customer service desks.
At that time they were booting XP from LAN with PXE/TFTP.
ALL the POS terminals load the same, single image from a server. Infect the server and all terminals become infected.
Because everything is diskless, everything is piped back to backend servers in real time.
I did not go into the back of the store or see any hardware other than the POS terminals, I whored myself out as a screwdriver grunt for some easy cash.
I would assume that the OS image the terminals boot is standardized across all their stores and is sent down from corporate hive.
This leads me to believe that they somehow got to THAT image and compromised it, thus infecting all terminals nationwide.
So they didn't have to hack thousands of terminals, they just had to hack one boot image at corporate and they owned the nation.
Even though what this AC said isn't very helpful, it expresses frustration with what happened. I think it deserves a better response.
Lots of posts here say we should punish the malware author very severely. I say punish him like a small town vandal. Give him a talking to, maybe make him give up his earnings, tell his parents, and then leave him alone.
You're missing the actual criminals here:
1. The people who installed this malware.
2. The people who sold the credit card records.
These guys deserve the full brunt of the law for damages done.
But even those guys don't deserve the strongest of punishment. The harshest criminal proceedings should be meted out to the CIO and CEO of Target (and Needless Markup et al :-). They should be held criminally liable for not securing customer credit card information. Surely with the myriad of laws that congress has passed there has to be some law or statute around storage and transmission of financial records that would stick. Sadly I feel like I'm deluding myself with that hope.
I imagine even one single CIO going to jail or merely facing a judge during criminal proceedings would make a much bigger change in how financial information is treated by officers of companies in the US.
This situation avoidable. We have technology that mitigates these risks enormously. What keeps theft of credit card information from ending is that the people who make decisions don't need to care. Make that change and the network effects might do the rest.
This is embarrassing if true. For me the target of ire is much closer to home. It has been said that the free market will produce the best product. Isn't it also true that we should deserve the national defense that we buy? Haven't these transgressions happened often enough now that our economic institutions should have more secure systems that protect the consumer from intrusions? How about the money spent on government surveillance? Shouldn't they secure us from threats that compromise enterprise and privacy? We should learn from the laboratories of other democratic societies to inform our transition to a system of capital exchange that is more appropriate of a world superpower. Securing our boarders also means safe money transfers.
21st century?
Please, tell me more, Internet psychologist!
He's probably already got a $1M/year job offer from Kaspersky, who given their ties to the Russian govt. the kid will be a national hero, not go to jail.
I have legal access to read-write on production systems than covers the entire SEPA region. A throughput of million of transactions per hour.
If you would actually know what these "amazingly secure" banking systems run and what kind of connectivity, what kind of sysadmins and what kind of hardware they use ... you would never use them. Any of them.
And I don't. Unless I'm forced. For very small sums. And I triple fkin check every time.
Wake up. Just because your bank asks you for 6 passwords to allow you to do anything it doesn't means you are safe.
Or
Analyst calls Russian teen author of 'Target' 'Malware'.
Raising the question as to what Target is, and whether Malware is a nice thing to call someone.
Sorry, unlike you I'm actually capable of understanding what is implied in human speech based on context.
Well, aren't you awesome. Unlike you, I actually consider how others might have trouble with things and strive to improve them for all.
Maybe one day there will be a cure and you will no longer have to live with a defective brain.
Maybe one day there'll be a cure for being a dick for no reason.
systemd is Roko's Basilisk.
Yeah, so people who are not even remotely security experts should go to jail but the people who intentionally perpetrated a crime really aren't that bad? Nice logic you have there. If you're going to go after executives, why don't you go after the ones that have dragged their feet on chipping our credit cards? That would have prevented this hack.
Are agnostics skeptical of unicorns too?