Slashdot Mirror
Analyst Calls Russian Teen Author of Target Malware
Nerval's Lobster writes "A digital-activity data analytics firm called IntelCrawler, Inc. claims to have identified the author of the BlackPOS malware used in attacks against Target and Neiman Marcus, and spotted similar attacks that are still in progress against six other retailers. Andrey Komarov, CEO of the Los Angeles-based IntelCrawler, told Reuters Jan. 17 that his company had spotted the six ongoing attacks while analyzing Web traffic in search of the specific entry points and origin of the malware infection behind the Target data breach, which allowed hackers to steak magnetic card-strip data on 40 million debit- and credit cards and demographic data on 70 million additional customers. According to Komarov, BlackPOS was developed by a 17-year-old Russian who goes by the username Ree4 and lives in St. Petersburg. Ree4 probably did not participate in the attack on Target, but did sell the malware to the actual attackers, according to Komarov, who refused to identify the source of his information other than to say he had been monitoring forums on which he said Ree4 sells malware. In a series of chat clips Komarov said are exchanges between buyer and seller, Ree4 tells a potential customer that the price for the software is US$2,000 and that the malware grabs credit-card numbers from system memory as they're scanned, dumps them into a file called time.txt that is sent back to the controller. Ree4 also said the app works only on standalone point-of-sale terminals with a separate monitor that also runs Windows, but not on Verifone systems, which can be attached to PCs but secure credit-card data before it can be scraped by BlackPOS."
That would clean up most of NSA staff
I love teenagers. Only they would ask $2,000 to sell software that, if he got caught, would net him decades in prison. He may be a good programmer, but he's an idiot businessman -- risk versus reward.
#fuckbeta #iamslashdot #dicemustdie
How did they get the malware deployed onto thousands of POS terminals without anyone noticing?
After the malware collected the data, how did the POS terminals report the stolen data back to the controller?
Are these POS terminals just directly connected to the internet?
Steak magnetic card strips....mmm
the network connection to the outside is for the credit app. I work for a company who deals with verifone pinpads and no internet, no pinpads. I would like to think that something like that could be on a secure secondary line locked down from HTTP and other traffic but it does not seem like they set it up that way
have you seen my sig? there are many others like it but none that are the same
How in the world does a 17 year old get intimate detailed knowledge of the internal workings of POS systems??
Was I the only child who grew up in a home devoid of POS terminals to tinker with or something?
I wouldn't throw too many stones. In the U.S. you can go to jail for plugging your EV in to the wall for 20 minutes but crash the global economy and we'll write you a bonus check.
Every theft perpetrated by every malware writer behind the former iron curtain put together is peanuts compared to the Wall Street bandits.
Just before the dreaded Y2K doomsday event everyone, everywhere (well lots anyway) I was subcontracted to upgrade all the motherboards in area Target stores.
The motherboards were very simple, very basic units with pretty much everything integrated IE video, ethernet, etc.. They are diskless. Nothing plugged into the slots.
The cases were small, low profile and of course there is one at every register and several at the customer service desks.
At that time they were booting XP from LAN with PXE/TFTP.
ALL the POS terminals load the same, single image from a server. Infect the server and all terminals become infected.
Because everything is diskless, everything is piped back to backend servers in real time.
I did not go into the back of the store or see any hardware other than the POS terminals, I whored myself out as a screwdriver grunt for some easy cash.
I would assume that the OS image the terminals boot is standardized across all their stores and is sent down from corporate hive.
This leads me to believe that they somehow got to THAT image and compromised it, thus infecting all terminals nationwide.
So they didn't have to hack thousands of terminals, they just had to hack one boot image at corporate and they owned the nation.
Even though what this AC said isn't very helpful, it expresses frustration with what happened. I think it deserves a better response.
Lots of posts here say we should punish the malware author very severely. I say punish him like a small town vandal. Give him a talking to, maybe make him give up his earnings, tell his parents, and then leave him alone.
You're missing the actual criminals here:
1. The people who installed this malware.
2. The people who sold the credit card records.
These guys deserve the full brunt of the law for damages done.
But even those guys don't deserve the strongest of punishment. The harshest criminal proceedings should be meted out to the CIO and CEO of Target (and Needless Markup et al :-). They should be held criminally liable for not securing customer credit card information. Surely with the myriad of laws that congress has passed there has to be some law or statute around storage and transmission of financial records that would stick. Sadly I feel like I'm deluding myself with that hope.
I imagine even one single CIO going to jail or merely facing a judge during criminal proceedings would make a much bigger change in how financial information is treated by officers of companies in the US.
This situation avoidable. We have technology that mitigates these risks enormously. What keeps theft of credit card information from ending is that the people who make decisions don't need to care. Make that change and the network effects might do the rest.