They are known as “coders” and “carders,” high-tech gurus who live in a digital underworld.
Their identities have been elusive, but their tactics and profiles are emerging in the aftermath of the malware attacks against Target and other retailers.
A 23-year-old Russian, said to use the online nickname Ree, told a television interviewer in January that he co-wrote the code used by whoever orchestrated the Target attack. Investigators are trying to find out more about someone else, known as Rescator, who has been selling stolen card data from Target.
Although Target’s breach remains under cloaked investigation with no official results, a security intelligence firm that tracks carder activity says it is following a ring of nine people dealing in access to hacked point-of-sale terminals.
Some of the hacked terminals being offered in the underground forums come preloaded with memory-scraping malware, such as the type used in Target’s huge breach, said Dan Clements, president of Los Angeles-based IntelCrawler. The group is mostly from Eastern Europe, but one of the hackers is based in the United Kingdom, Clements said.
“This niche was fairly developed and fairly sophisticated back in the spring,” Clements said. “Thus the Target attack was not really a surprise.”
Clements, whose team has been independently tracing the band’s digital tracks for a range of clients including global law enforcement, said it’s “highly probable” the members are related to the memory-scraping point-of-sale malware involved in the attack on Target, in which scooped up the payment card information of 40 million people was stolen.
The Minneapolis-based retailer later said that the partial personal information of 70 million customers, such as names and e-mail addresses, was siphoned off too. The amount of overlap between the two sets of information isn’t known.
A joint report from the Secret Service, cyber intelligence firm iSight Partners and others dated Jan. 16 referred to the malware at Target as a new variant of the Kaptoxa malware called Trojan.POSRAM, derived from one called BlackPOS. Kaptoxa means potato in Russian and is also slang for stolen cards in underground forums.
The FBI said it’s discovered about 20 point-of-sale malware attacks on retailers over the past year using several different kinds of malware including Kaptoxa, which it said has been around since at least 2011.
The ring that IntelCrawler is tracking includes Rinat Shabayev, a 23-year-old Russian hacker that IntelCrawler first publicly identified as the co-author of the malware that was ultimately used against Target. Shabayev subsequently told a Russian news outlet that he co-authored the Kaptoxa software, a variant of which infected Target’s point-of-sale systems.
“We were blown away that he admitted to writing it,” Clements said.
In an interview published Jan. 21, Shabayev told the Russian news outlet LifeNews that he lives in Saratov, a port city on the Volga River, and is looking for a job. He started working as programmer while attending university, he said, and used to moonlight as a hacker.
Shabayev said he took existing software and “enhanced it with some code.” It wasn’t designed to steal data, he said, and can be used to test whether systems are vulnerable.
“I just gave the program and that was it,” he said. “If you use this software with malicious intent you can earn well, but it’s illegal. So I didn’t want to engage in this. I just developed it for sale, not for my personal use. And let other people use it in their conscience.”
The Charlotte Observer welcomes your comments on news of the day. The more voices engaged in conversation, the better for us all, but do keep it civil. Please refrain from profanity, obscenity, spam, name-calling or attacking others for their views.
Have a news tip? You can send it to a local news editor; email email@example.com to send us your tip - or - consider joining the Public Insight Network and become a source for The Charlotte Observer.Read moreRead less