Analyst Calls Russian Teen Author of Target Malware 107
Nerval's Lobster writes "A digital-activity data analytics firm called IntelCrawler, Inc. claims to have identified the author of the BlackPOS malware used in attacks against Target and Neiman Marcus, and spotted similar attacks that are still in progress against six other retailers. Andrey Komarov, CEO of the Los Angeles-based IntelCrawler, told Reuters Jan. 17 that his company had spotted the six ongoing attacks while analyzing Web traffic in search of the specific entry points and origin of the malware infection behind the Target data breach, which allowed hackers to steak magnetic card-strip data on 40 million debit- and credit cards and demographic data on 70 million additional customers. According to Komarov, BlackPOS was developed by a 17-year-old Russian who goes by the username Ree4 and lives in St. Petersburg. Ree4 probably did not participate in the attack on Target, but did sell the malware to the actual attackers, according to Komarov, who refused to identify the source of his information other than to say he had been monitoring forums on which he said Ree4 sells malware. In a series of chat clips Komarov said are exchanges between buyer and seller, Ree4 tells a potential customer that the price for the software is US$2,000 and that the malware grabs credit-card numbers from system memory as they're scanned, dumps them into a file called time.txt that is sent back to the controller. Ree4 also said the app works only on standalone point-of-sale terminals with a separate monitor that also runs Windows, but not on Verifone systems, which can be attached to PCs but secure credit-card data before it can be scraped by BlackPOS."
who would make such a choice? (Score:1, Interesting)
Windows "security" has been well know to be a joke since the very beginning. Why would any sane person run it on POS systems or other important infrastructure, and then proceed to tie those systems to the open internet? Unix would only have been a little better, if it was used in the same way.
That seems ....... insane. Sure, the hackers are responsible for hacking in, but if you leave the door of your house wide open with a sign in the front yard saying, "I have an expensive TV!", maybe you also bear some responsibility if someone walks in and steals your expensive TV set?
Will there be ANY accountability here by the people who made those decisions?
Enquring minds want to know... (Score:5, Interesting)
How did they get the malware deployed onto thousands of POS terminals without anyone noticing?
After the malware collected the data, how did the POS terminals report the stolen data back to the controller?
Are these POS terminals just directly connected to the internet?
Comment removed (Score:4, Interesting)
Credibility? (Score:4, Interesting)
IntelCrawler was registered late last year, and its address is a mailbox in a UPS store.
Has anyone heard of Andrey Komarov before this? Does he have any kind of track record? Or is he just another fame whore with a dubious story?
Re:two simple questions (Score:5, Interesting)
I worked on Target POS systems in ‘99 (Score:4, Interesting)
Just before the dreaded Y2K doomsday event everyone, everywhere (well lots anyway) I was subcontracted to upgrade all the motherboards in area Target stores.
The motherboards were very simple, very basic units with pretty much everything integrated IE video, ethernet, etc.. They are diskless. Nothing plugged into the slots.
The cases were small, low profile and of course there is one at every register and several at the customer service desks.
At that time they were booting XP from LAN with PXE/TFTP.
ALL the POS terminals load the same, single image from a server. Infect the server and all terminals become infected.
Because everything is diskless, everything is piped back to backend servers in real time.
I did not go into the back of the store or see any hardware other than the POS terminals, I whored myself out as a screwdriver grunt for some easy cash.
I would assume that the OS image the terminals boot is standardized across all their stores and is sent down from corporate hive.
This leads me to believe that they somehow got to THAT image and compromised it, thus infecting all terminals nationwide.
So they didn't have to hack thousands of terminals, they just had to hack one boot image at corporate and they owned the nation.