Skip to main content

Originally published February 2, 2014 at 3:42 PM | Page modified February 2, 2014 at 5:42 PM

  • Share:
  • Comments (2)
  • Print

Tactics, profiles of hackers emerge after Target breach

A security intelligence firm says it is following a ring of nine people dealing in access to hacked point-of-sale terminals in the aftermath of the malware attacks against Target and other retailers.

Star Tribune (Minneapolis)

Most Popular Comments
Hide / Show comments
If one were to take a polio, influenza, or bubonic virus and "distribute" it... MORE
If a first-year comp sci can write this code, why haven't a world of experts been able... MORE


They are known as “coders” and “carders,” high-tech gurus who live in a digital underworld.

Their identities have been elusive, but their tactics and profiles are emerging in the aftermath of the malware attacks against Target and other retailers.

A 23-year-old Russian, said to use the online nickname Ree[4], told a television interviewer in January that he co-wrote the code used by whoever orchestrated the Target attack. Investigators are trying to find out more about someone else, known as Rescator, who has been selling stolen card data from Target.

Although Target’s breach remains under cloaked investigation with no official results, a security-intelligence firm that tracks carder activity says it is following a ring of nine people dealing in access to hacked point-of-sale terminals.

Some of the hacked terminals being offered in the underground forums come preloaded with memory-scraping malware, such as the type used in Target’s huge breach, said Dan Clements, president of Los Angeles-based IntelCrawler. The group is mostly from Eastern Europe, but one of the hackers is based in the United Kingdom, Clements said.

“This niche was fairly developed and fairly sophisticated back in the spring,” Clements said. “Thus the Target attack was not really a surprise.”

Clements, whose team has been independently tracing the band’s digital tracks for a range of clients including global law enforcement, said it’s “highly probable” the members are related to the memory-scraping point-of-sale malware involved in the attack on Target, in which the payment-card information of 40 million people was stolen.

The Minneapolis-based retailer later said that the partial personal information of 70 million customers, such as names and email addresses, was siphoned off too. The amount of overlap between the two sets of information isn’t known.

The ring that IntelCrawler is tracking includes Rinat Shabayev, a 23-year-old Russian hacker that IntelCrawler first publicly identified as the co-author of the malware that was ultimately used against Target. Shabayev subsequently told a Russian news outlet that he co-authored the Kaptoxa software, a variant of which infected Target’s point-of-sale systems.

“We were blown away that he admitted to writing it,” Clements said.

In an interview published Jan. 21, Shabayev told the Russian news outlet LifeNews that he took existing software and “enhanced it with some code.” It wasn’t designed to steal data, he said, and can be used to test whether systems are vulnerable.

“I just gave the program and that was it,” he said.

Brian Krebs, the security blogger who broke the news of Target’s huge holiday breach at, said in an interview that he, too, thinks Shabayev co-authored the original malware.

But he said there are likely several layers between Shabayev and whoever carried out the intricate and customized attack on Target.

“I would imagine there’s an entire group of individuals that carefully planned this attack against Target and very probably used other victim organizations they broke into through 2013 as sort of test cases,” Krebs said.

Krebs said Shabayev’s attitude toward writing the code is typical of malware authors he has interviewed.

“They have an agnostic view of code,” Krebs said. “They’re freelancers. It’s just ones and zeros. It can’t be good or evil. That seems to be the view of a lot of guys that code malicious software.”

He said that he has not yet looked for links between Shabayev and the person nicknamed Rescator who has been hawking stolen card information from Target in underground card shops.

Krebs suspects Rescator also uses the name Helkern online and is a leading member of a highly structured underground forum called Lampedusa. Krebs said he has identified a man in Illichivisk, a city in the Odessa province of Ukraine, that he suspects is Rescator/Helkern.

He said he suspects Rescator also played a central role in the Target hit itself.

Clements, at IntelCrawler, said he is not aware of a link between the two men.

Dmitri Alperovitch, co-founder of Irvine, Calif.-based CrowdStrike, said his firm has been carefully tracking cybercriminals in Eastern Europe, Russia and elsewhere for retail clients. Shabayev has been “very active” selling the BlackPOS memory-scraper malware for about a year, he said.

He described the original BlackPOS malware as fairly basic.

“A first-year computer-science student in college could have written this,” he said.

Alperovitch said he didn’t think the program Shabayev co-authored was innocent and intended for defending computer systems.

“He’s been actually selling the software for $2,000 in the underground specially for committing theft from retailers,” Alperovitch said. “That’s the only purpose of this tool.”

News where, when and how you want it

Email Icon

 Subscribe today!

Subscribe today!

99¢ for four weeks of unlimited digital access.


Partner Video


The Seattle Times photographs

Seattle space needle and mountains

Purchase The Seattle Times images

The Seattle Times

The door is closed, but it's not locked.

Take a minute to subscribe and continue to enjoy The Seattle Times for as little as 99 cents a week.

Subscription options ►

Already a subscriber?

We've got good news for you. Unlimited content access is included with most subscriptions.

Subscriber login ►