Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Target, Neiman Marcus Malware Creators Identified

Eastern European team developed memory-scraping Kaptoxa (BlackPOS) malware, sold it at least 40 times, says cyber-intelligence firm.

Top 10 Retail CIO Priorities For 2014
Top 10 Retail CIO Priorities For 2014
(Click image for larger view and slideshow.)

A team of at least two developers created the point-of-sale malware used to hack Target, Neiman Marcus, and likely other retailers in the United States, Australia, and Canada.

So said information security intelligence firm IntelCrawler Friday in a report that named a 17-year-old Russian teenager, who used the online handle "ree[4]" (a.k.a. ree4), suspected of being the author of the BlackPOS -- for point-of-sale -- malware. The malware is also known as Kaptoxa, or "potato" in Russian.

But security journalist Brian Krebs, who broke the news of the Target breach in December, questioned IntelCrawler's findings. Subsequently, the intelligence firm updated its research, naming instead a second teenage suspect, who it said shared the ree4 handle with the first suspect. "Intelcrawler apparently just changed its mind about the guy responsible for the Target POS malware," Krebs tweeted Monday. "Now they have the right guy."

The revised research report said that the first suspect was one of several individuals who provided technical support for the newly named suspect -- again, ree4 -- who is a "very well known programmer of malicious code" who appears to be based in St. Petersburg, Russia, while the gang at large appears to be based either in Russia or also former Soviet satellites.

[Sure, malware exists, but is it as bad as the news suggests? See Malware: More Hype Than Reality.]

The Kaptoxa malware was also sold under the name "Dump Memory Grabber," and reportedly found a number of buyers. "Ree4 has sold more than 40 builds of BlackPOS to cybercriminals from Eastern Europe and other countries, including the owners of underground credit cards shops such as '.rescator,' 'Track2.name,' 'Privateservices.biz,' and many others," according to the IntelCrawler report. The firm said that the developers also appear to have sold the source code to several buyers, and modified builds of the code for others.

The malware was advertised on hacking forums as being able to scrape POS device RAM to intercept credit card data, and then dump -- transmit -- that data in batches via FTP to an external server. "This trojan is written on pure C++ without any additional libraries, is used for dumps grabber [and] credit cards from RAM memory of all running processes," according to a translation of a Russian-language advertisement, published by IntelCrawler. "It works on all Windows systems, including x64. It uses mmon.exe for RAM scanning, very silent on the computer, there is a timeout for autorun (we can change it). It can also repeat sending dumps. The log is sent to the gate through FTP, each new log has the date, like 1.09.56-16.02.2013.txt, we can also modify it on email. All questions to [email protected]."

Those details square with what's known about the Target breach, including attackers' using memory-scraping malware and exfiltrating stolen data via FTP to a server in Russia.

Image credit: Robert Scoble.
Image credit: Robert Scoble.

Target warned customers in mid-December that 40 million debit and credit cards had been stolen. Later, it said that attackers had also obtained personal information on 70 million customers. That suggests that the gang behind the Target attack employed more than just POS malware.

People with knowledge of the investigations at Target and Neiman Marcus, speaking on background, have said that the breaches are related, and suggested that at least three more retail firms were likewise compromised. While the Target breach began in late November 2013, recent reports have also suggested that Neiman Marcus was hacked in July 2013, and the breach not fully contained until Jan. 12, 2014.

How much might attackers have spent to successfully hack into POS systems at Target or any other retailer? IntelCrawler said the Kaptoxa malware was being sold for $2,000, or else a 50% cut of all profits made from intercepted credit and debit card data, to be deposited to the developer's Liberty Reserve account.

But the real culprits are arguably the gang or gangs that have been actively employing the POS malware, rather than whoever built the malware. "The real bad actors responsible for the past attacks on retailers such as Target and Neiman Marcus were just his customers," said Dan Clements, president of IntelCrawler, via the company's research report.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant?Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls. (Free registration required.)

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
David F. Carr
David F. Carr,
User Rank: Strategist
1/21/2014 | 12:41:12 PM
Did this malware target some particular POS platform?
Do we know whether this malware was targeted at a specific POS platform? Or are POS systems so similar, regardless of who makes them, that the software was able to target a range of environments?
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
1/21/2014 | 4:09:47 PM
Re: Did this malware target some particular POS platform?
Are Russian authorities likely to do anything about this guy?
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/21/2014 | 4:39:10 PM
Re: Did this malware target some particular POS platform?
I'm more interested in finding out whether retailers in the U.S. will be more proactive about moving to a smart-card system, which is much harder to hack, than our current magnet stripe cards. The WSJ reported yesterday that Target 10 years ago halted the rollout of a chip-based payment system because execs in store operations and merchandising "worried that the technology slowed checkout speeds and didn't offer enough marketing benefits." 

Hindsight is always 20-20, isn't it?


User Rank: Apprentice
1/23/2014 | 5:11:25 AM
Re: Did this malware target some particular POS platform?
That would be a strong "no." Historically, at least, Russian authorities have looked the other way, so long as hackers inside the border don't attack other Russians. The lack of an extradition treaty with the US probably seals the (no) deal. 

Yet one more good reason for the IT department to be watching network traffic for any connections to Russian-based FTP servers. Especially from their payment processing system. 
User Rank: Apprentice
1/22/2014 | 8:31:18 AM
Re: Did this malware target some particular POS platform?
Many POSs and ATMs use Windows and that's all the similarity this kind of malware needs.  When a card is swiped by a pin pad, the data is sent to the POS system.  Pin Pads are just like any other peripheral in that they need a physical interface through which they speak to the POS.  It could be USB, serial port, Ethernet or wireless.  If the data is not encrypted before it's sent to the POS, the clear text information can be found in the OS interface buffer or the peripheral device driver buffer.  If it's encrypted, the POS software will eventually decrypt it to create an authorization packet and forward it to the payment processor.  The POS may encrypt the packet again but by that time it's too late.  At first it might seem incredible to hijack temporary data that might be actively referenced by the POS software for less than a second.  However, the techniques used to allocate RAM have similarities to file systems on fixed disks.  Most folks know that a deleted file doesn't mean the data it contained is truly gone.  Memory use by applications can be similar.  Programs are constantly allocating temporary buffers (i.e. a sequence of characters to hold credit card data) and then releasing them.  Temporary buffers are just like file data -- it doesn't cease to exist just because it has been "released" (like a file being deleted).  It might hang around in memory for a long time before that memory is needed again.  An application can be written to make it tougher for RAM-scraping malware to work by clearing the buffer before releasing it but if the data was decrypted, this technique must be thorough.  That means any code that comes into contact with the decrypted data has to overwrite sensitive data contained in buffers before releasing them.  Application developers generally don't recreate existing wheels.  Decryption of data is likely going to be done outside of the POS application by using some kind of library -- possibly one provided by the OS or a third party.  This means careful handling of buffers would need to extend into the decryption/encryption routines.

If memory scraping malware cannot be eliminated or foiled, the only choice is to remove the POS from the authorization equation and do it in the pin pad.  Modern pin pads are tiny computers.  They could complete the authorization transaction on their own and only provide the POS with truncated data.  POS-based memory scraping malware would disappear since it would no longer have access to valuable information.  Most POS systems allow the cashier to enter the credit card when the mag-stripe is damaged but this would represent a far smaller cache of data and may not be a large enough target for thieves.

Of course criminals adapt and if the POS no longer contains valuable information, they'll move their assault to the pin pad.  Some pin pads are designed to self-destruct if they are opened.  Obviously the inventive criminal might be able to drill a hole in the case like crooks did with a recent ATM attack.  However, physical access to thousands of devices now becomes a formidable barrier and I suspect there could be additional tamper prevention techniques employed to thwart holes being drilled (i.e. A plastic bag embedded with a fine coated-wire conductive loop mesh that surrounds the pin pad circuit board.  The loop could be connected to the pin pad and like the classic window security foil, if the conductive loop is broken, the device self-destructs.  They could also dip the entire circuit board in something that dries rock hard, is opaque and impervious to solvents.  Attempts to access the circuit board destroys it.)
User Rank: Apprentice
1/22/2014 | 9:09:17 AM
Re: Did this malware target some particular POS platform?
BlackPoS's malware developer ree4 has been identified as Shabayev, aged 23 from Russia. He has already admitted having been the mastermind behind the malware's development last year.. http://www.bestvpnservice.com/blog/malware-and-its-russian-coder-behind-target-data-breach-identified
User Rank: Apprentice
5/28/2014 | 7:22:44 AM
Re: Did this malware target some particular POS platform?
Here it is good information provided here about malwares. Didn't know about the facts. Appreciable post.

User Rank: Moderator
1/21/2014 | 8:51:06 PM
Can it Happen Again?
The real worry is that other retailers, using the same POS terminals will be attacked next.

Isn't it time to look for a solution, before this happens?

For instance, why do you have to give your credit card details to the retailer, to pass to the credit card company? Obviously, so they can know who you are, and that it's really your card. Okay, then, why not use an authentication system based on your ID, instead? Then, the credit card need only contain your user ID, which they could check, and tie in with the card details, which they already know. That way, the retailer would have nothing worth stealing. Of course, the authentication system would need to be fraudproof, and I believe there's a description of such a system at www.designsim.com.au/What_is_SteelPlatez.ppsx.
 I guess the other benefit of doing something like this, is that the credit card companies wouldn't have the expense of changing to EMV cards, or resorting to something unpleasant, like biometrics.
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file