Forgot your password?
typodupeerror
Security

Analyst Calls Russian Teen Author of Target Malware 107

Posted by Soulskill
from the get-off-my-lawn dept.
Nerval's Lobster writes "A digital-activity data analytics firm called IntelCrawler, Inc. claims to have identified the author of the BlackPOS malware used in attacks against Target and Neiman Marcus, and spotted similar attacks that are still in progress against six other retailers. Andrey Komarov, CEO of the Los Angeles-based IntelCrawler, told Reuters Jan. 17 that his company had spotted the six ongoing attacks while analyzing Web traffic in search of the specific entry points and origin of the malware infection behind the Target data breach, which allowed hackers to steak magnetic card-strip data on 40 million debit- and credit cards and demographic data on 70 million additional customers. According to Komarov, BlackPOS was developed by a 17-year-old Russian who goes by the username Ree4 and lives in St. Petersburg. Ree4 probably did not participate in the attack on Target, but did sell the malware to the actual attackers, according to Komarov, who refused to identify the source of his information other than to say he had been monitoring forums on which he said Ree4 sells malware. In a series of chat clips Komarov said are exchanges between buyer and seller, Ree4 tells a potential customer that the price for the software is US$2,000 and that the malware grabs credit-card numbers from system memory as they're scanned, dumps them into a file called time.txt that is sent back to the controller. Ree4 also said the app works only on standalone point-of-sale terminals with a separate monitor that also runs Windows, but not on Verifone systems, which can be attached to PCs but secure credit-card data before it can be scraped by BlackPOS."
This discussion has been archived. No new comments can be posted.

Analyst Calls Russian Teen Author of Target Malware

Comments Filter:
  • But who are the other three?
  • Seems like an easy call from my chair but I am not, possibly, disenfranchised, poor, abused, indifferent, whatever. For many the return on investment (hey Wall Street) is too good to pass on. Just sayin...
  • Teenagers (Score:5, Insightful)

    by girlintraining (1395911) on Saturday January 18, 2014 @05:01PM (#46000583)

    I love teenagers. Only they would ask $2,000 to sell software that, if he got caught, would net him decades in prison. He may be a good programmer, but he's an idiot businessman -- risk versus reward.

    • Russian prison and then what? unlike to be able to work in the usa

      • by mjwalshe (1680392)
        for the average geek - Death probably - Russian prisons are not fluffy places like the USA's supermax or Gitmo
    • Re:Teenagers (Score:4, Interesting)

      by DigiShaman (671371) on Saturday January 18, 2014 @05:39PM (#46000765) Homepage

      He's a teen!!! The brain of a teen has been demonstrated [google.com] time and time again to have an underdeveloped sense of risk.

      • by wonkey_monkey (2592601) on Saturday January 18, 2014 @05:42PM (#46000777) Homepage

        That's so evolution can weed out all the really stupid ones before they get to procreate.

        It doesn't seem to be working these days...

        • by AmiMoJo (196126) *

          Except that until fairly recently procreation tended to happen in the early to mid teens, pretty much as soon as girls became fertile. The period of maximum risk taking stupidity coincides with the child's early life, which I suppose might have the same effect in that the offspring of stupid people would have died with them.

      • He's a teen!!! The brain of a teen has been demonstrated time and time again to have an underdeveloped sense of risk.

        Which begs the question... how is he hiding all that money from his parents? Surely they must know something is up. They should join him in jail... for a much longer time.

        • Who knows. Typically most teens with new-found-money will spend and flash it around. At which point his parents know and decided to just play along (if not outright helping him shelter the wealth). OTOH however, this is Russia. He could be scared shitless by whatever mob he's working for. They may have told him to lay low...or else! But yea, your guess is as good as mine.

        • There is a difference in having a adventurous youth, making a poor judgment on occasion, and a deliberate plan that too months to execute.

          On one had we have things like the “ILOVEYOU” virus – that I am somewhat lenient on and would fall into what you are suggesting. This Russian teen seemed to have a more thought out plan.

    • why would that net him decades in prison? He's guilty of writing a virus program, not stealing 60 million credit cards.

      Like if I sold a gun to Guido, and later Guido murders 5 people with it, am I going to prison for life? No, I am just going to get charged with selling a gun to a felon.

      • by mcfedr (1081629)
        it will/would if the usa ever get their dirty hands on him - really for just being smart enough to point out the flaws in a multinational's software.
  • by Anonymous Coward

    Windows "security" has been well know to be a joke since the very beginning. Why would any sane person run it on POS systems or other important infrastructure, and then proceed to tie those systems to the open internet? Unix would only have been a little better, if it was used in the same way.

    That seems ....... insane. Sure, the hackers are responsible for hacking in, but if you leave the door of your house wide open with a sign in the front yard saying, "I have an expensive TV!", maybe you also bear som

    • by CastrTroy (595695)
      It doesn't matter which operating system is being used. Windows can be perfectly secured if you configure it properly. Linux can be just as easily owned if set up by someone who has no idea what they are doing. A weak root password and bind sash to a remotely accessible address (which seems quite convenient if you don't consider the security aspects) and the machine is trivially rootable. No matter which OS is used, there should be a hardware firewall in front with no open ports. Only way to communicate is
  • by Anonymous Coward

    IntelCrawler uncovers six active attacks on U.S. merchants and traced the Target attacks back to a specific person in Russia. How come IntelCrawler can figure it out? Is the NSA asleep at the wheel?

    • by ganjadude (952775)
      seriously. We keep hearing about how the NSA NEEDS all the data traffic in the world yet it takes a 3rd party a few weeks to find the guy and the NSA hasnt done jack shit
      • To be fair, all this guy has done is claim to know who the programmer is. He doesn't have any proof. He is, however, making himself famous for a few minutes.....

        And, for all we know, the NSA wrote the damned thing themselves in order to infiltrate the Russian mafia. It's not like they tell us what they're doing.

      • How exactly do you know what the NSA is and is not doing? I get it, we gotta trash talk the NSA in every /. post.... Even if that means making wild assumptions about things we don't know anything about.
        • by ganjadude (952775)
          I would say its a pretty good bet being that If I were running the NSA and I had absolutly zero public trust as they do right now, I would be screaming for his head so I can say see, we are useful. But they dont
    • Who do you think GAVE IntelCrawler their data?

      That's right, there is No Such Agency!

  • by jayveekay (735967) on Saturday January 18, 2014 @05:15PM (#46000653)

    How did they get the malware deployed onto thousands of POS terminals without anyone noticing?
    After the malware collected the data, how did the POS terminals report the stolen data back to the controller?
    Are these POS terminals just directly connected to the internet?

    • did they hack the system on what an new image was being build on?

    • by Anonymous Coward

      Yeah, no second network for internet access at target.
      The distribution method is not publicly known at this time. It is safe to assume a distributed update.

    • by AmiMoJo (196126) *

      Yes, they are connected to the internet. It depends on the system, some have a server in the store which they talk to and it has a VPN connection back to head office. Some just connect directly to the internet via the store's router. They use encryption to secure the connection, of course.

      It appears that the deployment was simply a case of adding the malware to the POS terminal firmware and rolling it out as an update. Data was reported back to servers at head office, which they had also compromised.

  • mmmm (Score:5, Funny)

    by codepigeon (1202896) on Saturday January 18, 2014 @05:16PM (#46000657)
    Steak magnetic card strips....mmm
  • by Anonymous Coward

    How much did Verifone pay for this sparkling review?!?

  • by rossdee (243626) on Saturday January 18, 2014 @05:19PM (#46000681)

    " which allowed hackers to steak magnetic card-strip data on 40 million debit- and credit cards"

    Of course steak is very much a luxury food in Russia

  • by Anonymous Coward

    Why to use Windows?

    Why to have network connection to outside?

    • by ganjadude (952775) on Saturday January 18, 2014 @06:01PM (#46000863) Homepage
      the network connection to the outside is for the credit app. I work for a company who deals with verifone pinpads and no internet, no pinpads. I would like to think that something like that could be on a secure secondary line locked down from HTTP and other traffic but it does not seem like they set it up that way
      • I work for a company who deals with verifone pinpads and no internet, no pinpads...

        This company lets a guy with the nic 'gangadude' work on Internet enabled POS terminals?

        They must be smoking something.

  • by Anonymous Coward

    spotted similar attacks that are still in progress against six other retailers. Andrey Komarov, CEO of the Los Angeles-based IntelCrawler, told Reuters Jan. 17 that his company had spotted the six ongoing attacks while analyzing Web traffic in search of the specific entry points and origin of the malware infection behind the Target data breach

    I call bullshit! He claims to have spotted ongoing attacks on six other retails which he conveniently fails to name.

    Name names or STFU!

  • by wonkey_monkey (2592601) on Saturday January 18, 2014 @05:45PM (#46000785) Homepage

    Analyst Calls Russian Teen Author of Target Malware

    "Calls" as in calls him on the phone? Or "calls" in the more casual sense of "identifies"? Because there's a word for that - "identifies."

  • Credibility? (Score:4, Interesting)

    by whoever57 (658626) on Saturday January 18, 2014 @05:51PM (#46000805) Journal

    IntelCrawler was registered late last year, and its address is a mailbox in a UPS store.

    Has anyone heard of Andrey Komarov before this? Does he have any kind of track record? Or is he just another fame whore with a dubious story?

    • by Anonymous Coward

      Like most Russian "security experts" he's really just the protection angle of the shakedown. His crew develops the malware and then he "discovers" it and sells you a solution. The Russians have been doing this shit for decades.

  • IN 17 years? (Score:5, Informative)

    by scarboni888 (1122993) on Saturday January 18, 2014 @06:40PM (#46001069)

    How in the world does a 17 year old get intimate detailed knowledge of the internal workings of POS systems??

    Was I the only child who grew up in a home devoid of POS terminals to tinker with or something?

    • by Anonymous Coward

      It was running Windows, which was part of the problem.

    • by jader3rd (2222716)

      How in the world does a 17 year old get intimate detailed knowledge of the internal workings of POS systems??

      They're the only ones that Target hires to run it's systems. Anybody older would be too expensive.

    • Re:IN 17 years? (Score:4, Informative)

      by plover (150551) on Saturday January 18, 2014 @10:23PM (#46002473) Homepage Journal

      What makes you think he has " intimate detailed knowledge of the internal workings of POS systems"? Sorry, that was a trick question. He doesn't care how POS systems work, or how sophisticated they may be. He only cares what credit card mag stripe data looks like. His malware scrapes the RAM of the process looking for the tell-tale patterns of mag stripe data, and grabs it. See http://www.us-cert.gov/ncas/alerts/TA14-002A [us-cert.gov] , which says "There are several types of POS malware in use, many of which use a memory scraping technique to locate specific card data. Dexter, for example, parses memory dumps of specific POS software related processes looking for Track 1 and Track 2 data. "

      The track data just has to be in the RAM of the process, and this software finds it and logs it.

  • So now we know: Russia is responsible for crap that MS passes as "secure software". Bomb the Evil Empire (you select which one).
  • If he was a little bit older the news wouldn't be reporting the age. The age is just creating a bias where there doesn't need to be one. It's just playing on a certain group of peoples fears that all young people are out to get them. It probably stems from guilt about how they find certain people achieving more in life than they did, and at first you could handle that because they were older. But then as they got older the achievers became younger and they never learnt how to cope with that.
  • by Anonymous Coward on Saturday January 18, 2014 @11:23PM (#46002697)

    Just before the dreaded Y2K doomsday event everyone, everywhere (well lots anyway) I was subcontracted to upgrade all the motherboards in area Target stores.
    The motherboards were very simple, very basic units with pretty much everything integrated IE video, ethernet, etc.. They are diskless. Nothing plugged into the slots.
    The cases were small, low profile and of course there is one at every register and several at the customer service desks.

    At that time they were booting XP from LAN with PXE/TFTP.

    ALL the POS terminals load the same, single image from a server. Infect the server and all terminals become infected.
    Because everything is diskless, everything is piped back to backend servers in real time.

    I did not go into the back of the store or see any hardware other than the POS terminals, I whored myself out as a screwdriver grunt for some easy cash.
    I would assume that the OS image the terminals boot is standardized across all their stores and is sent down from corporate hive.
    This leads me to believe that they somehow got to THAT image and compromised it, thus infecting all terminals nationwide.
    So they didn't have to hack thousands of terminals, they just had to hack one boot image at corporate and they owned the nation.

  • This is embarrassing if true. For me the target of ire is much closer to home. It has been said that the free market will produce the best product. Isn't it also true that we should deserve the national defense that we buy? Haven't these transgressions happened often enough now that our economic institutions should have more secure systems that protect the consumer from intrusions? How about the money spent on government surveillance? Shouldn't they secure us from threats that compromise enterprise and pri

Nothing is impossible for the man who doesn't have to do it himself. -- A.H. Weiler

Working...