Target, six other retailers apparently no match for Russian teen’s 'potato' hack

Wielding a piece of malware called ‘potato’ in Russian, Eastern European hackers stormed past the digital firewalls of Target and six other retailers to steal credit cards belonging to a quarter of the US population.

|
Rick Wilking/REUTERS
Digital detectives have tracked the credit card heist that hit Target and other retailers to a Russian teenager who tweaked a piece of standard malware, and then sold the malicious code to dozens of Eastern European cyber-criminals.

The scope of the Christmastime Target credit card heist keeps growing as digital detectives track one of the most audacious tech age heists in history to a Russian teenager who tweaked a piece of standard malware, and then sold the malicious code to dozens of Eastern European cyber-criminals.

Target is bracing for a backlash of lost sales after reporting that over 70 million credit cards and other pieces of customer data were compromised during the heaviest shopping period of the year. The thieves grabbed everything – card numbers, pin numbers, security codes – as they were able to gain direct access to the so-called point of service, or POS, terminals familiar to every shopper.

Now, a report from some of the world’s top cyber-detectives suggests that six other retailers may also have been breached. They have not yet been named, although Neiman-Marcus’ disclosure of a breach last week may be connected.

For some American consumers and the big retailers, the thefts helped sour the Christmas season, raising ire and forcing Target, and now perhaps others, to downsize sales expectations for the coming year and reassess their digital security.

Meanwhile, the stolen data is being sold and bought on underground data auctions for around $100 a pop, meaning that consumers are left to sop up the potential credit mess. More broadly, the new revelations suggest that “cybercriminals are still finding gaps in industry security … and how payment card data is handled,” writes Jeremy Kirk in Computer World.

New information from Internet surveillance firms show just how audacious was the heist – basically a one-swipe pickpocket of nearly a quarter of America’s population. And the trail leads to Russia, and a 17-year-old hacker known only as “ree4,” writes Andrew Komarov, the CEO of the cyber-intelligence firm IntelCrawler, in a number of posts. Meanwhile, dozens of attorneys general have launched their own investigations into how Target was duped.

According to security experts, Ree4 took a standard piece of malware known in Russian as “kaptoxa,” Russian slang for “potato,” tweaked it and renamed it BlackPos. The software, which apparently can slip through the staunchest defenses undetected, was first discovered by digital forensic experts last March.

Ree4 sold the software for $2,000 or a 50 percent cut of the profits to about 40 Eastern European hackers, according to Mr. Komarov.

Those hackers, in turn, may have used so-called “brute force” tactics – throwing millions of possible passwords at retail servers until one breaks the code – and then took control of the swipe machine at the counter.

In its Jan. 14 analysis, iSight Partners, a Dallas-based information security firm now advising the US Secret Service, wrote that the attack was two-pronged.

“First, the malware that infected Target’s checkout counters (PoS) extracted credit numbers and sensitive personal details,” the firm writes. “Then, after staying undetected for 6 days, the malware started transmitting the stolen data to an external FTP server, using another infected machine within the Target network.”

“The intrusion operators displayed innovation and a high degree of skill in orchestrating the various components of the activity,” according to the report.

Last week, Target executives announced the No. 3 retailer would be spending $5 million for a consortium of digital security think tanks to help prevent similar attacks in the future.

“Cybersecurity is fast becoming one of the biggest marketplace challenges for businesses, and a huge concern for their customers,” said Mary Power, president and CEO of the Council of Better Business Bureaus, in a statement.

The fact that hackers may have used what’s been called “bargain basement” software to steal credit cards right from under shoppers’ noses may not help immediately stanch what’s become a steady wave of criticism of Target and its handling of the breach.

But the new revelations could ultimately lead retailers to search for more reliable ways to get paid than the point-of-service terminals that are now, despite their ubiquity, apparently increasingly vulnerable.

“Target itself would do well to find the best such alternative and implement it in a high-profile way,” writes Anthony Wing Kosner, in Forbes. “Disruption, however, may be the last thing this beleaguered retailer is thinking about at the moment as it hopes to maintain business as usual.”

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Target, six other retailers apparently no match for Russian teen’s 'potato' hack
Read this article in
https://www.csmonitor.com/USA/2014/0118/Target-six-other-retailers-apparently-no-match-for-Russian-teen-s-potato-hack
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe