Wielding a piece of malware called ‘potato’ in Russian, Eastern
European hackers stormed past the digital firewalls of Target and six
other retailers to steal credit cards belonging to a quarter of the
By Patrik Jonsson
ATLANTA — The scope of the Christmastime Target credit card heist
keeps growing as digital detectives track one of the most audacious
tech age heists in history to a Russian teenager who tweaked a piece
of standard malware, and then sold the malicious code to dozens of
Eastern European cyber-criminals.
Target is bracing for a backlash of lost sales after reporting that
over 70 million credit cards and other pieces of customer data were
compromised during the heaviest shopping period of the year. The
thieves grabbed everything — card numbers, pin numbers, security codes
— as they were able to gain direct access to the so-called point of
service, or POS, terminals familiar to every shopper.
Now, a report from some of the world’s top cyber-detectives suggests
that 6 other retailers may also have been breached. They have not yet
been named, although Neiman-Marcus’ disclosure of a breach last week
may be connected.
For some American consumers and the big retailers, the thefts helped
sour the Christmas season, raising ire and forcing Target, and now
perhaps others, to downsize sales expectations for the coming year and
reassess their digital security.
Meanwhile, the stolen data is being sold and bought on underground
data auctions for around $100 a pop, meaning that consumers are left
to sop up the potential credit mess. More broadly, the new revelations
suggest that “cybercriminals are still finding gaps in industry
security… and how payment card data is handled,” writes Jeremy Kirk
in Computer World.
New information from Internet surveillance firms show just how
audacious was the heist — basically a one-swipe pickpocket of nearly a
quarter of America’s population. And the trail leads to Russia, and a
17-year-old hacker known only as “ree4,” writes Andrew Komarov, the
CEO of the cyber-intelligence firm IntelCrawler, in a number of posts.
Meanwhile, dozens of attorneys general have launched their own
investigations into how Target was duped.
According to security experts, Ree4 took a standard piece of malware
known in Russian as “kaptoxa,” Russian slang for “potato,” tweaked it
and renamed it BlackPos. The software, which apparently can slip
through the staunchest defenses undetected, was first discovered by
digital forensic experts last March.
Ree4 sold the software for $2,000 or a 50 percent cut of the profits
to about 40 Eastern European hackers, according to Mr. Komarov.
Those hackers, in turn, may have used so-called “brute force” tactics
— throwing millions of possible passwords at retail servers until one
breaks the code — and then took control of the swipe machine at the
In its Jan. 14 analysis, iSight Partners, a Dallas-based information
security firm now advising the U.S. Secret Service, wrote that the
attack was two-pronged.
“First, the malware that infected Target’s checkout counters (PoS)
extracted credit numbers and sensitive personal details,” the firm
writes. “Then, after staying undetected for 6 days, the malware
started transmitting the stolen data to an external FTP server, using
another infected machine within the Target network.”
“The intrusion operators displayed innovation and a high degree of
skill in orchestrating the various components of the activity,”
according to the report.
Last week, Target executives announced the No. 3 retailer would be
spending $5 million for a consortium of digital security think tanks
to help prevent similar attacks in the future.
“Cybersecurity is fast becoming one of the biggest marketplace
challenges for businesses, and a huge concern for their customers,”
said Mary Power, president and CEO of the Council of Better Business
Bureaus, in a statement.
The fact that hackers may have used what’s been called “bargain
basement” software to steal credit cards right from under shoppers’
noses may not help immediately stanch what’s become a steady wave of
criticism of Target and its handling of the breach.
But the new revelations could ultimately lead retailers to search for
more reliable ways to get paid than the point-of-service terminals
that are now, despite their ubiquity, apparently increasingly
“Target itself would do well to find the best such alternative and
implement it in a high-profile way,” writes Anthony Wing Kosner, in
Forbes. “Disruption, however, may be the last thing this beleaguered
retailer is thinking about at the moment as it hopes to maintain
business as usual.”