TARGET BREACH: Analyst links malware to Russia - FOX 35 News Orlando

TARGET BREACH: Analyst links malware to Russia

Posted: Updated:

As Target continues to investigate the massive data breach that has impacted as many as 110 million people, the security expert who first broke the story believes he has traced the culprits to Russia.

Security expert Brian Krebs has chronicled the details of the breach extensively via his blog, Krebs on Security. On Tuesday, he posted that the cyber crooks transmitted their payload of stolen customer data through a virtual private server (VPS) located in Russia.


Jan. 12: Beware suspicious e-mails after Target breach
Jan. 10: Personal info of 70M customers stolen
Jan. 18: Data of 40M Target shoppers compromised

Additionally, Krebs' coverage has often referenced a specific text string found in the malware samples -- "Rescator." Shortly after the data breach came to light, Rescator became the subject of another Krebs blog post focusing on who was selling the stolen credit and debit card data.


Krebs believes he has traced the trail from Rescator to a particular young man in Ukraine who has been selling the malware on the black market for as little as $2,300. McAfee published its own blog post on Wednesday that also contained the Rescator moniker when looking into the two malware uploaders used in the Target breach.

That may be the needle in the digital haystack -- a simple line of code containing the name of a notorious Russian hacker.

"Russian malware is very aggressive, and because of that, they're very good," Mark Lanterman told Fox 9 News. "They don't' care if you find them because they're just developing malware."

Of course, it is possible that someone is using the Rescator name to throw authorities off their own trail, but Lanterman doubts it.

"My experience is hackers have egos and they want credit for their works of art," he said. "This software is near and dear to the author and he wants to be acknowledged as the author -- and my guess is, that truly is the author."


A number of tech blogs covered the story on Thursday, laying out the details of how the malware, which is a so-called "RAM-scraper," worked. The information was collected directly from magnetic strips before it could be encrypted, but the wildest part is that it was sent to a server inside Target just six days later. That internal server uploaded 11 gigabytes of data over two weeks.

"Either this is yet another breach because the server was controlled by the hacker, or perhaps this was an inside job," Lanterman speculated.

An analysis posted on Seculert appears to confirm Krebs' cyber sleuthing, explaining that the stolen data went through the FTP server of an apparently-hijacked website. Those transmissions reportedly occurred several times a day over a two week period, beginning on Dec. 2.


Target has fielded a lot of criticism over its disclosures regarding the breach, with many complaining the company waited too long to disclose. Unfortunately for the Minneapolis-based retailer, Krebs believes new details will only make those cries grow louder.

Several security experts searched for a domain within Target's infrastructure using, which pits more than 40 antivirus tools against suspicious files submitted by users. In doing so, they found several related files dated on Dec. 11. It is widely believed that the malware was custom-made for the intrusion at Target, and that leads Krebs to question whether a company employee or security contractor working on the company's behalf noticed the malware on Dec. 11.

Target CEO Gregg Steinhafel made his first television interview about the breach on CNBC on Monday, but the timeline he set out -- which puts the confirmation of an "issue" on Dec. 15 -- did not explain when the company first began to suspect their systems had been compromised.

To this day, no antivirus product available on the market is able to detect the malicious files used in the attack, according to Krebs.

Powered by WorldNow

35 Skyline Drive
Lake Mary, FL 32746

Phone: (407) 644-3535
News Tips: (866) 55-FOX35

Didn't find what you were looking for?
All content © Copyright 2000 - 2014 Fox Television Stations, Inc. and Worldnow. All Rights Reserved.
Privacy Policy | New Terms of Service What's new | Ad Choices