Andrew Komarov, chief executive officer of InterCrawler, has revealed that a “17-years-old teenager is the author of BlackPOS/Kaptoxa malware” which is the software that was used to attack Target and Neiman Marcus.
The hacker named Ree4, who was identified as the originator of source code of the malware is believed to be a 17 year old teenager living in St. Petersburg, Russia.
Komarov pointed out that the teenager did not use the software on retailers, but wrote the code itself.
InterCrawler told federal authorities of their findings; as well as credit card companies and security intelligence firms.
Recently, Karen Katz, president and CEO of Neiman Marcus Group (NMG), apologized to their customers in a public statement : “We deeply regret and are very sorry that some of our customers’ payment cards were used fraudulently after making purchases at our stores. We have taken steps to notify those affected customers for whom we have contact information. We aim to protect your personal and financial information. We want you always to feel confident shopping at Neiman Marcus, and your trust in us is our absolute priority.”
Katz explained: “Neiman has disabled the malware it uncovered, enhanced its security tools, and assessed and reinforced its related payment card systems.”
However, Katz advised customers to monitor their statements carefully and report any suspicious activity.
Customers are upset and legislators are gearing up for investigations since Target Corporation revealed they had been cyberattacked and personal data was stolen.
Lawsuits are being filed against the retailer.
Brian Krebs, journalist and security expert, has explained how the hackers could have gotten away with so much information from Target.
The secret is a point-of-sale (POS) purchase and the use of a memory-scraping malware infection.
POS devices can store brief bits of data from memory which would be tantamount to the data obtained through the swiping of the credit/debit card through the slot at the register.
It does not matter whether the customer or cashier swiped the card. The POS system is hooked up to an intranet and internet connections so the hacker would simply have to install the malware.
Last April, Group-IB, a Russian security firm, has discovered Dump Mummery Grabber (DMG) that is a malware focused on extracting data and compromising cash registers and ATMs.
DMG can be used to syphon information on customer debt and credit cards from banks like JP Morgan & Chase Co., Citibank, Capital One and law enforcement agencies.
Andrey Komarov, head of international projects and CTO at CERT-GIB, said: “We have found one of the C&C servers for the following POS malware, but in fact hundreds of POS/ATMs were infected and we are still investigating this issue.”
DMG is installed at the POS and directly into ATMs with the ease of transmitting data through magnetized strips.
In fact, DMG will steal digital information from those magnetized strips, collecting data such as:
• Primary account number
• Customer full name
• Card expiration date
With the use of a USB port, the malware can have direct communication with the internet.
DMG clones credit and debit cards utilizing stolen card numbers with harvested information.
Krebs states that using a memory scrape at the POS will allow thieves to “create cloned copies of the cards and use them to shop in stores for high-priced merchandise.”
Anonymous sources claim that “at the time this POS malware was installed in Target’s environment (sometime prior to Nov. 27, 2013), none of the 40-plus commercial antivirus tools used to scan malware.”
Interestingly, it is assumed that the hackers used BlackPOS because it is “a specialized piece of malware designed to be installed on POS devices and record all data from credit and debit cards swiped through the infected system.”
Krebs continues to explain that, according to sources, “the attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Target’s internal network that served as a central repository for data hovered by all of the infected point-of-sale devices.”
The source said: “The bad guys were logging in remotely to that [control server], and apparently had persistent access to it. They basically had to keep going in and manually collecting the dumps.”
Krebs said: “The type of data stolen — also known as track data — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs.”