Target Credit Card Hack Software Written By A 17-Year-Old
A cyberintelligence consulting group has identified the author of software that enabled the theft of over 100 million credit and debit card numbers and metadata as a 17-year-old Russian code whiz and hacker known as “ree4”.
IntelCrawler says that ree4 sold his “BlackPOS” malware to more than 60 Eastern European cyber-criminals, plus some in other regions. He is based in St. Petersburg and is well-known in forums and the wider hacking community. The IntelCrawler report notes that he wrote other popular malicious tools, “such as ‘Ree4 mail brute’, … social networks accounts hacking and DDoS attacks trainings.” IntelCrawler’s president, Dan Clements, told PCWorld that the group is “90 percent” sure about its conclusions.But ree4 doesn’t seem to have personally taken part in the Target or Neiman Marcus hacks beyond writing and selling the malware. When contacted by the Washington Post, Target declined to comment on the IntelCrawler report. A Neiman Marcus spokeswoman specifically addressed one part, which said that hackers were able to plant the BlackPOS malware because the credit card terminals at the retailers they targeted had default passwords that were guessable and therefore weak. The Neiman Marcus spokeswoman said that she hadn’t heard anything about weak passwords from those with direct knowledge of Neiman Marcus’ network. Though the Target and Neiman Marcus hacks originally appeared to have been launched at the same time by the same people, it is less clear now whether they were related through more than BlackPOS. In fact it seems increasingly likely that they were not.
The report quoted IntelCrawler’s CEO, Andrew Komarov, as saying that more BlackPOS hacks, largely of department stores, are going to come to light soon. This agrees with an article Reuters published on Jan. 12, citing anonymous sources who said they knew of at least three other breaches.