Skip to main content

Malware, Hackers Behind Target Data Breach Tentatively Identified

Customers, card issuers and banks are still reeling from the massive Christmas-season data breaches at Target and Neiman Marcus, which resulted in millions of stolen credit- and debit-card accounts, and millions more stolen names, addresses and email addresses.

Now, however, there's some good news: Security blogger Brian Krebs has a lead on the malware responsible for the Target breach, and possibly on the malware creators themselves.

That may be small comfort to the possibly 110 million U.S. residents directly affected by the Target data breach, but it's the first step in tracking down the criminals responsible for the theft of those customers' information.

MORE: How to Survive a Data Breach

Krebs, who broke the story of the Target data breach on Dec. 18, wrote on his blog that he may have discovered the malware the criminals used to steal approximately 40 million credit- and debit-card numbers, as well as the personal details, stored in a separate database, of 70 million Target customers.

Krebs believes the malware responsible for lifting the credit and debit card numbers from Target's in-store point-of-sale terminals is a modified version of BlackPOS, a piece of malware that, beginning in March 2013, has been sold for about $1,800 USD on black-market crimeware websites by a Russian-speaking hacker called "Antkiller."

BlackPOS is RAM-scraping malware, meaning that it copies credit-card numbers from point-of-sale machines' temporary memory, or RAM, in the instant after the cards are swiped and before the numbers are encrypted.

Soon after BlackPOS debuted last March, a Russian security firm called Group-IB deduced that the malware had been used to steal thousands of credit cards issued by several major U.S. banks.

This past Sunday (Jan. 12), Target CEO Gregg Steinhafel revealed that malware had been installed on the company's point-of-sale devices, the small devices into which customers swipe cards and type in PINs. This malware is believed to have been used to execute the data breach.

In a Reuters story posted the same day, unnamed sources close to the investigation said RAM-scraping malware has been found on Target's point-of-sale devices. 

Sources close to the Target investigation told Krebs that at the time of the Target intrusion, none of the 40-plus commercial anti-malware products used by the online malware scanner VirusTotal.com were able to detect the malware that infected the point-of-sale devices.

If BlackPOS is indeed an earlier form of the malware used in the Target breach, and possibly the Neiman Marcus breach as well, investigators may want to start by finding the author of BlackPOS.

Group-IB was able to tie the author of BlackPOS to a group of Russian-speaking men with connections to cybercrime. Group-IB even identified some of the men's social networking profiles on Vkontakte, the Russian-language equivalent of Facebook, where the BlackPOS author goes by the nickname "Wagner Richard."

Other members of the group, which includes Russians, Ukrainians, an Armenian and another man with a Latvian or Lithuanian surname, appear to use their real names instead of aliases on VKontakte.

However, just because the members of this group are connected to the author of BlackPOS doesn't necessarily mean they're behind the recent data breaches. It's just as likely they sold the malware to another group of criminals.

MORE: Target Data Breach FAQ: What to Do Now

Reuters' unnamed sources said the data breaches at Target and Neiman Marcus were part of a larger wave of attacks that also hit three as-yet-unnamed U.S. retailers.

How did the criminals get malware on just about every point-of-sale device in every Target store in the United States? Krebs' sources say the criminals compromised one of Target's Web servers, got into the corporate computer system and eventually pushed out the malware to Target's point-of-sale network, possibly disguised as a software or firmware update.

The criminals then set up a server within the Target corporate network that acted as a data funnel between the infected point-of-sale data machines and the criminals themselves.

Krebs also suggested that Canadian Target stores, former Zellers stores acquired by Target in 2011, escaped infection by the malware because the Canadian stores' point-of-sale devices used different software. U.S. Target stores reportedly use home-grown software, whereas Canadian Target stores use point-of-sale software from a company called Retalix.

Clearly, the Retalix software is doing something right; Krebs' sources say Target officials plan to switch over the U.S. machines to Retalix.

In his blog post documenting these findings, Krebs also promised that he is investigating the allegations that three other U.S. retailers were hit.

"Rest assured that when and if I have information about related breaches I feel confident enough to publish, you will read about it here first," Krebs wrote.

UPDATE: A report by antimalware firm McAfee found that the code used to upload the malware to Target's servers contained several references to a cybercriminal who uses the pseudonym Rescator. Krebs noticed last month that Rescator was selling credit card numbers stolen from Target, and claims that he has traced Rescator's identity to a young man living in Odessa, Ukraine.

An analysis by antimalware firm Seculert, who is also researching the Target data breach, also found no connection to the Neiman Marcus attack. This counters the popular speculation that the two attacks were perpetrated by the same criminals, as Reuters originally reported.

Seculert also stated that the data stolen from Target totaled 11 gigabytes, which could correspond to the 110 million records confirmed to have been stolen from Target.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.