Digital Transactions Authoritative, insightful and timely information for payments professionals
A 17-year-old Russian boy is behind the malware that has wreaked havoc at Target Corp., says IntelCrawler LLC, a Sherman Oaks, Calif.-based data-security company.
In a release posted on its Web site Friday, IntelCrawler disclosed that it tracked down the alleged hacker via its own sources, including chat transcripts on message boards offering to sell the malware for $2,000. IntelCrawler was able to find email addresses for the alleged hacker, eventually leading to a profile on VK, a Russian social media network. Using social engineering via a password-recovery mechanism on the site, it confirmed the email address was associated with the profile of the teen.
The teen also had help from several others, IntelCrawler says.
The Target breach, disclosed in December, exposed up to 40 million credit and debit card accounts of U.S. shoppers, and personal data on 70 million customers. Dallas-based Neiman Marcus says it, too, has suffered a hack, saying its merchant processor informed it in mid-December of potentially unauthorized card activity following customer purchases.
Target offered no additional comment on the IntelCrawler announcement. It has pledged to spend $5 million on a multiyear online-security awareness campaign working with the National Cyber-Forensics and Training Alliance, National Cyber Security Alliance, and Better Business Bureau Inc.
IntelCrawler’s announcement coincided with additional details that also surfaced Friday. The malware apparently captured, or “scraped,” data from a card's magnetic stripe in the instant after a swipe at the POS terminal while it was still in the system's memory. The U.S. Secret Service, a security-technology company, and other entities distributed a report for retailers about malware dubbed Kaptoxa that may have spread throughout the retailer community; malware at Target likely was derived from a crude piece of code called BlackPOS with scripts of Russian origin, according to investigators.
Despite a history of payment-card data breaches, retailers still have a long way to go to protect sensitive cardholder information, says Brandon Williams, executive vice president of strategy at data-security firm Sysnet Global Solutions, an Ireland-based company with U.S. offices in Atlanta and Salt Lake City.
“For the most part, as a generalization, retailers have not taken security very seriously because they look to PCI compliance as the thing to keep them safe,” Williams says. The Payment Card Industry Security Standard Council issues data-security standards for retailers, banks, hardware and software manufacturers, and payment vendors. “Some [retailers] try to do things without complying,” Williams says. Some may not properly install software firewalls to prevent access to secure parts of their networks, while others may have measures in place during a PCI audit but drop them following certification, he says.
Typically, following a major breach, Williams fields hundreds of retailer phone calls about what they can do to improve the security of their networks, only to see them drop off a few months later. “I would hope this stops the cycle,” he says. His preference would be that merchants take a long view of how their security measures up.
The youthfulness of the malware developer is somewhat surprising, Williams says. “From bigger breaches in the past, it’s typically not someone this young,” Williams says. It's not clear where the teen lives, but IntelCrawler says he had roots in the St. Petersburg area, and based on its report, it's unclear if he was 17 this year or last year.
Albert Gonzalez, who is now serving 20 years in prison for the attacks on merchant acquirer Heartland Payment Systems Inc., TJX Cos., and other retailers, was 28 at the time of his 2009 indictment. The Heartland breach involved 130 million payment card numbers, the largest known compromise of card data.
