Thursday, May 24, 2018

Digital underground believed to be behind attack on Target

They are known as "coders" and "carders," high-tech gurus who live in a digital underworld.

Their identities have been elusive, but their tactics and profiles are emerging in the aftermath of the malware attacks against Target and other retailers.

A 23-year-old Russian, said to use the online nickname Ree[4], told a television interviewer in January that he co-wrote the code used by whoever orchestrated the Target attack. Investigators are trying to find out more about someone else, known as Rescator, who has been selling stolen card data from Target.

Although Target's breach remains under cloaked investigation with no official results, a security intelligence firm that tracks carder activity says it is following a ring of nine people dealing in access to hacked point-of-sale terminals.

Some of the hacked terminals being offered in the underground forums come preloaded with memory-scraping malware, such as the type used in Target's huge breach, said Dan Clements, president of Los Angeles-based IntelCrawler. The group is mostly from Eastern Europe, but one of the hackers is based in the United Kingdom, Clements said.

"This niche was fairly developed and fairly sophisticated back in the spring," Clements said. "Thus the Target attack was not really a surprise."

Clements, whose team has been independently tracing the band's digital tracks for a range of clients including global law enforcement, said it's "highly probable" the members are related to the memory-scraping point-of-sale malware involved in the attack on Target, in which scooped up the payment card information of 40 million people was stolen.

The Minneapolis-based retailer later said that the partial personal information of 70 million customers, such as names and e-mail addresses, was siphoned off too. The amount of overlap between the two sets of information isn't known.

A joint report from the Secret Service, cyber intelligence firm iSight Partners and others dated Jan. 16 referred to the malware at Target as a new variant of the Kaptoxa malware called Trojan.POSRAM, derived from one called BlackPOS. Kaptoxa means potato in Russian and is also slang for stolen cards in underground forums.

The FBI said it's discovered about 20 point-of-sale malware attacks on retailers over the past year using several different kinds of malware including Kaptoxa, which it said has been around since at least 2011.

The ring that IntelCrawler is tracking includes Rinat Shabayev, a 23-year-old Russian hacker that IntelCrawler first publicly identified as the co-author of the malware that was ultimately used against Target. Shabayev subsequently told a Russian news outlet that he co-authored the Kaptoxa software, a variant of which infected Target's point-of-sale systems.

"We were blown away that he admitted to writing it," Clements said.

In an interview published Jan. 21, Shabayev told the Russian news outlet LifeNews that he lives in Saratov, a port city on the Volga River, and is looking for a job. He started working as programmer while attending university, he said, and used to moonlight as a hacker.

Shabayev said he took existing software and "enhanced it with some code." It wasn't designed to steal data, he said, and can be used to test whether systems are vulnerable.

"I just gave the program and that was it," he said. "If you use this software with malicious intent you can earn well, but it's illegal. So I didn't want to engage in this. I just developed it for sale, not for my personal use. And let other people use it in their conscience."

Shabayev's page on a popular Russian social network, displayed on IntelCrawler's website, shows a photo of him playing a bass guitar and lists his interests as bass, beautiful girls and coding. It says he attended Engels Technological Institute.

It also said he views kindness and honesty as important in other people, and that his political views are apathetic.

Brian Krebs, the security blogger who broke the news of Target's huge holiday breach at KrebsonSecurity.com, said in an interview that he, too, thinks Shabayev co-authored the original malware. But he said there are likely several layers between Shabayev and whoever carried out the intricate and customized attack on Target.

"I would imagine there's an entire group of individuals that carefully planned this attack against Target and very probably used other victim organizations they broke into through 2013 as sort of test cases," Krebs said.

Krebs said Shabayev's attitude toward writing the code is typical of malware authors he has interviewed.

"They have an agnostic view of code," Krebs said. "They're freelancers. It's just ones and zeros. It can't be good or evil. That seems to be the view of a lot of guys that code malicious software."

Krebs said that he has not yet looked for links between Shabayev and the person nicknamed Rescator who has been hawking stolen card information from Target in underground card shops. Krebs suspects Rescator also uses the name Helkern online and is a leading member of a highly structured underground forum called Lampeduza. Krebs said he has identified a man in Illichivisk, a city in the Odessa province of Ukraine, that he suspects is Rescator/Helkern.

Krebs said he suspects Rescator is not just hawking stolen cards, but also played a central role in the Target hit itself.

Clements, at IntelCrawler, said he is not aware of a link between the two men.

Clements said Shabayev used the nickname Ree[4] in underground hangouts and was selling the BlackPOS malware for about $2,000. He worked closely with Sergey Taraspov, a teenager acting as his technical support. At first IntelCrawler identified Taraspov as the malware's co-author, but then said it was Shabayev.

The Secret Service declined to comment on Shabayev.

IntelCrawler is not the only organization that has tracked Shabayev.

Dmitri Alperovitch, co-founder of Irvine, Calif.-based CrowdStrike, said his firm has been carefully tracking cybercriminals in Eastern Europe, Russia and elsewhere for retail clients. Shabayev has been "very active" selling the BlackPOS memory scraper malware for about a year, he said. He described the original BlackPOS malware as fairly basic.

"A first-year computer science student in college could have written this," he said.

Alperovitch said he didn't believe Shabayev's assertions that the program he co-authored was innocent and intended for defending computer systems.

"He's been actually selling the software for $2,000 in the underground specially for committing theft from retailers," Alperovitch said. "That's the only purpose of this tool."

Comments
Parkland families seek courtís OK to sue gun companies

Parkland families seek courtís OK to sue gun companies

Fred Guttenberg looked over his shoulder at the poster behind him. There was Jaime, his forever 14-year-old daughter, leaping into a split in her ballet leotard. In another photo, she posed with her father, grinning wide for the camera.Jaime was amon...
Updated: 11 minutes ago
One day after fatal accident, Tampa moves to lower speed limit on Bayshore Blvd

One day after fatal accident, Tampa moves to lower speed limit on Bayshore Blvd

TAMPA ó City officials announced Thursday they are reducing the speed limit on Bayshore Boulevard, one day after a mother was struck and killed by a speeding car while pushing her 21-month-old daughter across the street in a stroller.Starting today, ...
Updated: 18 minutes ago
When will the Lightning run out of wait-til-next-years?

When will the Lightning run out of wait-til-next-years?

TAMPA — Disbelief will eventually give way to acceptance.The Lightning isn't there yet.It isn't there yet in a lot of ways.Will it ever be?Just wondering.Really, what guarantees are there?Late Wednesday night, Washington Capitals captain A...
Updated: 1 hour ago
Florida Department of Education delivers third-grade reading test results

Florida Department of Education delivers third-grade reading test results

Most of Florida's third graders will get to find out whether they passed the required state reading test before the school year ends, after all.The Florida Department of Education, under pressure from parents and educators to get the scores out ...
Updated: 1 hour ago

Democrat says Trump Jr. may have lied to Senate committee

A Democratic senator says he's concerned that President Donald Trump's eldest son may have lied to Congress about his knowledge of foreign assistance offered to the Trump campaign
Updated: 1 hour ago
Trump aims to make it easier for companies to get to space

Trump aims to make it easier for companies to get to space

President Donald Trump is asking the government to make it easier for companies to get to and from space.
Updated: 1 hour ago

Staley settles lawsuit against Missouri athletic director

South Carolina coach Dawn Staley reaches $50,000 settlement in her lawsuit against Missouri athletic director Jim Sterk
Updated: 1 hour ago
The Latest: Baltimore officers visit funeral home

The Latest: Baltimore officers visit funeral home

Fellow officers, public officials and others are visiting a Baltimore-area funeral home to honor a colleague killed on duty
Updated: 1 hour ago
Dem, GOP leaders get classified briefings on Russia probe

Dem, GOP leaders get classified briefings on Russia probe

Republican and Democratic lawmakers have received classified briefings about the origins of the FBI investigation into Russia's election meddling
Updated: 1 hour ago

Suit: Leagues' block of sports gambling cost racetrack $139M

A New Jersey horse racing association has sued the four major pro sports leagues and the NCAA over what it says is more than $130 million in lost sports betting revenue
Updated: 1 hour ago