Analyst Calls Russian Teen Author of Target Malware

Nerval's Lobster writes "A digital-activity data analytics firm called IntelCrawler, Inc. claims to have identified the author of the BlackPOS malware used in attacks against Target and Neiman Marcus, and spotted similar attacks that are still in progress against six other retailers. Andrey Komarov, CEO of the Los Angeles-based IntelCrawler, told Reuters Jan. 17 that his company had spotted the six ongoing attacks while analyzing Web traffic in search of the specific entry points and origin of the malware infection behind the Target data breach, which allowed hackers to steak magnetic card-strip data on 40 million debit- and credit cards and demographic data on 70 million additional customers. According to Komarov, BlackPOS was developed by a 17-year-old Russian who goes by the username Ree4 and lives in St. Petersburg. Ree4 probably did not participate in the attack on Target, but did sell the malware to the actual attackers, according to Komarov, who refused to identify the source of his information other than to say he had been monitoring forums on which he said Ree4 sells malware. In a series of chat clips Komarov said are exchanges between buyer and seller, Ree4 tells a potential customer that the price for the software is US$2,000 and that the malware grabs credit-card numbers from system memory as they're scanned, dumps them into a file called time.txt that is sent back to the controller. Ree4 also said the app works only on standalone point-of-sale terminals with a separate monitor that also runs Windows, but not on Verifone systems, which can be attached to PCs but secure credit-card data before it can be scraped by BlackPOS."

Teenagers

[girlintraining]

I love teenagers. Only they would ask $2,000 to sell software that, if he got caught, would net him decades in prison. He may be a good programmer, but he's an idiot businessman -- risk versus reward.

Another needlessly ambiguous Slashdot headline...

[wonkey_monkey]

Analyst Calls Russian Teen Author of Target Malware

"Calls" as in calls him on the phone? Or "calls" in the more casual sense of "identifies"? Because there's a word for that - "identifies."

Re:Russia needs to pass better laws

[sjames]

I wouldn't throw too many stones. In the U.S. you can go to jail for plugging your EV in to the wall for 20 minutes but crash the global economy and we'll write you a bonus check.

Every theft perpetrated by every malware writer behind the former iron curtain put together is peanuts compared to the Wall Street bandits.

Re:What we should do

[nuonguy]

Even though what this AC said isn't very helpful, it expresses frustration with what happened. I think it deserves a better response.

Lots of posts here say we should punish the malware author very severely. I say punish him like a small town vandal. Give him a talking to, maybe make him give up his earnings, tell his parents, and then leave him alone.

You're missing the actual criminals here:
1. The people who installed this malware.
2. The people who sold the credit card records.
These guys deserve the full brunt of the law for damages done.

But even those guys don't deserve the strongest of punishment. The harshest criminal proceedings should be meted out to the CIO and CEO of Target (and Needless Markup et al :-). They should be held criminally liable for not securing customer credit card information. Surely with the myriad of laws that congress has passed there has to be some law or statute around storage and transmission of financial records that would stick. Sadly I feel like I'm deluding myself with that hope.

I imagine even one single CIO going to jail or merely facing a judge during criminal proceedings would make a much bigger change in how financial information is treated by officers of companies in the US.

This situation avoidable. We have technology that mitigates these risks enormously. What keeps theft of credit card information from ending is that the people who make decisions don't need to care. Make that change and the network effects might do the rest.