17-Year-Old Wrote Target Hack Malware, Say Reports

A 17-year-old Russian hacker has been identified as the author of the malware that was used to attack Target and Neiman Marcus.

A Target investigation into the security breach which took place over the busy holiday period showed that the stolen information included names, mailing addresses, phone numbers and email addresses. Photo: Roadsidepictures/ Flickr

A 17-year-old Russian teenager from St. Petersburg was responsible for the malicious programing that allowed for data from Target and Neiman Marcus to be compromised, according to a California-based security firm.

InterlCrawler, a Los Angeles cyberintelligence company, detailed in a post on its site this week saying that the massive data breach at Target used an inexpensive “off the shelf” malware known as BlackPOS written by a Russian young man, who reportedly has a reputation as a “very well known” programmer in underground marketplaces for malicious code.

The conclusion comes from a study of members-only forums where cybercriminals buy and sell data and malicious software tools, said Dan Clements, president of IntelCrawler, which conducted the analysis.

The teenager, who goes by the online nickname “ree4,” sold more than 40 copies of BlackPOS to cybercriminals in Eastern Europe and elsewhere, according to forum postings IntelCrawler analyzed. The malware, originally known as a lyric ‘Kaptoxa’ (‘potatoe’ – in Russian slang), has been downloaded at least 60 times since it was created.

However, IntelCrawler CEO Andrew Komarov didn’t accuse the young man of the Target heist but said he believes he developed the software used to skim credit card numbers and other personal data from millions of Target shoppers. Mr. Komarov shared that the attackers who bought the software entered retailers’ systems by trying several easy passwords to access the registers remotely.

IntelCrawler described the BlackPOS program written by the team as not very advanced. According to another security company, Dallas-based iSight Partners, which has seen the government report but would not release it, the attackers also used a variety of other malicious tools to penetrate networks, maintain a persistent foothold on them and extract stolen data, reports the Wired.

Jayce Nichols, manager of the cybercrime analysis team at iSight, says that the individual components of the attack are not necessarily sophisticated but the overall operation is.

“The interesting thing is the way the attackers put everything together and the orchestration of the overall attack, not necessarily the sophistication of the individual components,” he said.

IntelCrawler has alerted US authorities and Visa of the fresh attack targets, Komarov said. The firm began detecting large-scale cyber attacks on point-of-sale terminals across the U.S., Canada and Australia in early 2013. The company is not aware of any non-U.S. retailers now being attacked with BlackPOS software, Komarov said.

Last month, Target announced that hackers had gained access to as many as 40 million credit and debit cards used by its customers during the height of the holiday shopping season, later extending that figure to as many as 110 million.

The same malware may have been involved in a similar but far smaller attack on luxury retailer Neiman Marcus around the time, IntelCrawler says. However, Neiman Marcus has yet to reveal how many shoppers were affected, or what kind of data was taken.

The luxury retailer’s CEO, Karen Katz said in a statement that the company is “very sorry” for the breach, adding “we want you always to feel confident shopping” at the store, says the NY Daily News.

Share this article

We welcome comments that advance the story directly or with relevant tangential information. We try to block comments that use offensive language, all capital letters or appear to be spam, and we review comments frequently to ensure they meet our standards. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Coinspeaker Ltd.