Target, Neiman Marcus, And Other U.S. Retailers' POS Malware Linked To Russia

By Anna Rose Welch, Editorial & Community Director, Advancing RNA

Security firm alters accusation, claiming different author, not 17-year-old Russian teen, responsible for creating, selling malware to cybercriminals

On Jan. 17, security firm IntelCrawler linked the malware responsible for Target’s security breach to a 17-year-old Russian man, Sergey Tarasov. However, early last week, InterCrawler revised its identification, saying another author, Rinay Shibaev, was responsible for writing the code. The security firm does still believe that Tarasov was connected to the malware but that he served more as “technical support” for Shibaev with several other unidentified members.

InterCrawler said that the hackers used an inexpensive “off the shelf” malware known as BlackPOS. This form of malware, named Kaptoxa, or “potato” in Russian slang, originated in March 2013 and was first detected in POS systems in Australia, Canada, and the U.S. Intercrawler also says that the creator, Shibaev nicknamed “Ree4,” has sold more than 40 versions of this BlackPOS to Eastern European cybercriminals. The BlackPOS is a RAM scraper, which enables cybercriminals to take data as it travels through the live memory of a computer in plain text. This same software has also been identified in at least six other attacks on U.S. retailers, Reuters says.

According to Andrew Komarov, IntelCrawler CEO, department stores took the brunt of the latest attacks. But Komorov warns that all retailers should be prepared for more BlackPOS infections and new breaches. As SecureState CEO Ken Stasiak tells CNN, once the security community knows about malware, it “can rally around it and put controls in place. But the problem is, the hackers know that. And they manipulate or mutate this malware, and then reuse it.”

Not only is the lingering threat of attacks a headache for both retailers and consumers, CNN legal analyst Paul Callan says that the debacle will hardly be over once the malware is identified and security is reinstated. Retailers could be facing class action lawsuits from customers affected by these data breaches. “Let’s say hypothetically, a retailer has 40 million transactions by 40 million different customers,” Callan says. “All 40 million may have been damaged in some way, and under law they can all be joined together in a class action lawsuit.” 

In the face of these resilient and flexible hackers, the NRF issued a statement last week calling for the use of chip-and-PIN technology in credit and debit cards. This technology, which is already standard around the world, is more secure than the United States’ magnetic strip cards. According to David French, it’s time that the U.S. joins the rest of the global world in initiating PIN-and-Chip cards. French argues, “We must transition away from 1960s technology and adopt a 21st century system that will help reduce and prevent fraud and protect customers from the threat posed by sophisticated cybercriminals, hackers, and data thieves.” The NRF has also highlighted the need for a federal cyber law that would allow for the immediate sharing of information about the latest threats and outline plans for investigating and prosecuting data crimes.

How The Breach Could Have Been Prevented

Want to publish your opinion?
Contact us to become part of our Editorial Community.