Jump to content

17 y/o Teenager is the Author of BlackPOS/Kaptoxa Malware (Target)


Turk
 Share

Recommended Posts

Los Angeles, California - January 17, 2014

The massive data breach at Target during the 2013 holiday shopping season which the retailer now admits affected 70 million customers used an inexpensive "off the shelf" malware known as BlackPOS. The same malware may have also been involved in the Neiman Marcus attack.

Security researchers from IntelCrawler, a Los-Angeles based cyber intelligence company, announced that the age of BlackPOS malware author is close to 17 years old and the first sample of it was created in March 2013. The first report on this malware was done in the beginning of spring by Andrew Komarov, IntelCrawler CEO, when he was working in another forensics company.

According to own sources of IntelCrawler the first infected Point-of-Sales environments by BlackPOS were in Australia, Canada and the US. The first name of the malware was a lyric "Kaptoxa" ("potatoe" - in russian slang), which then was renamed to "DUMP MEMORY GRABBER by Ree[4]" for forums postings, but the title for C&C had string "BlackPOS". During that time, "Ree[4]" ("ree4") has sold more then 40 builds of BlackPOS to cybercriminals from Eastern Europe and other countries, including the owners of underground credit cards shops such as ".rescator", "Track2.name", "Privateservices.biz" and many others.

The same dates the detailed information and reverse engineering report were shared with Visa and several major US banks, after which US LEA released internal notification for financial industry about that. The bad actor was pretty opened for trading this malware for 2 000 USD or by receiving 50% from selling of all intercepted credit cards by his customer through Liberty Reserve.
24o8sck.jpg
[email protected]: http://ree4.7ci.ru/dump_grabber.php
[email protected]: it is administrative panel
[email protected]: password "pass"
[email protected]: http://www.sendspace.com/file/zglgvy
[email protected]: after infection you will receive "readme.txt", like "ping"

The first C&C server of BlackPOS was installed on "ree4.7ci.ru", which was the personal host of its author with nickname "ree[4]". Some other hosts were found on this domain name, as probably it was used as a hosting for all members of the same group:

- onlyddos.7ci.ru;
- merzavetz.7ci.ru;
- reperckov41.7ci.ru.
2jd1jti.jpg

[email protected]: http://plasmon.rghost.ru/44699041/image.png
hidden: how does it keep the data ( intercepted credit cards)?
[email protected]: from left side it is files, time.txt, then you click on it and you will find dumps in browser in plaintext
hidden: are there any differences in terms of infected Point-of-Sale systems?
[email protected]: no, but there are some nuances, for examples it doesn't work on Verifone
hidden: really? I have Verifones ...
[email protected]: it grabs dumps from memory, Verifone can be connected to PC, but it will be "secured", you need standalone Point-of-Sale terminals with monitor and Windows
hidden: how much?
[email protected]: 2000 USD
[email protected]: 1st build

Previously he has created several tools used in hacking community for brute force attacks, such as "Ree4 mail brute", and also earned some first money with social networks accounts hacking and DDoS attacks trainings, as well as software development including malicious code.
5o5hmp.jpg

Investigators from IntelCrawler have also made a profiling on bad actor:

E-mail 1: [email protected]
E-mail 2: [email protected]
ICQ: 565033
Skype: s.r.a.ree4


According to operative information from IntelCrawler, the person behind the nickname "ree[4]" is Sergey Taraspov, having roots in St.Petersburg and Nizhniy Novgorod (Russian Federation), very well known programmer of malicious code in underground.
295vojm.jpg

"He is still visible for us, but the real bad actors responsible for the past attacks on retailers such as Target and Neiman Marcus were just his customers", comments Dan Clements, IntelCrawler President. Before both breaches IntelCrawler detected large-scale RDP brute-forcing attacks on Point-of-Sales terminals across the US, Australia and Canada started at the beginning of 2013 year in winter period with week passwords such as:

"pos":"pos";
"micros":"micros" (MICROS Systems, Inc. - Point-of-Sale Hardware);
"edc":"123456" (EDC - Electronic Draft Capture).

February 9th, 2013, 14:30
URL:http://www.rf-cheats.ru/forum/archive/index.php/t-156884.html
2yyp9qr.jpg

IP Address: 71.138.234.81
Location: UNITED STATES, CALIFORNIA, LOS ANGELES
Latitude & Longitude: 34.052230, -118.243680
Connection: 26 INTERNATIONAL INC
Net Speed: (COMP) Company/T1
IDD & Area Code: 213/310/424/323
ZIP Code: 90001
Weather Station: LOS ANGELES (USCA0638)

IP Address: 75.127.54.179
Location: UNITED STATES, CALIFORNIA, LOS ANGELES
Latitude & Longitude: 34.002300, -118.211520
Connection: DESIGN COLLECTION
Net Speed: (COMP) Company/T1
IDD & Area Code: 213/323
ZIP Code: 90058
Weather Station: LOS ANGELES (USCA0638)
Usage Type: (COM) Commercial

February 21th, 2013, 13:36
2cggdcg.jpg

IP Address: 63.138.49.238
Location: UNITED STATES, NEW YORK, FAIRPORT
Latitude & Longitude: 43.088572, -77.432766
Connection: PAETEC COMMUNICATIONS INC.
Domain: PAETEC.COM
Net Speed: (DSL) Broadband/Cable
IDD & Area Code: 585
ZIP Code: 14450
Weather Station: FAIRPORT (USNY0477)

May 21th, 2013, 18-26
URL: http://d3scene.ru/besplatnye-razdachi-i-pooschreniya/49081-razdacha-dedikov.html
mbiyi9.jpg

IP Address: 168.215.163.98
Location:UNITED STATES, COLORADO, LONE TREE
Latitude & Longitude: 39.546295, -104.896772
Connection: TW TELECOM HOLDINGS INC.
Domain: TWTELECOM.NET
Net Speed: (COMP) Company/T1
IDD & Area Code: 303
ZIP Code: 80124
Weather Station: PARKER (USCO0306)


According to The New York Times (NYT) Neiman Marcus acknowledged that the time stamp on the first intrusion was in mid-July, which may have good correlation with found compromised Point-of-Sales.

July 19th, 2013
URL: http://freegaming.ucoz.net/news/razdacha_dedikov/2013-07-19-3
"EDC" - Electronic Draft Capture, also known as "EDC" or "Point Of Sale" (POS) allows you to capture and authorize a credit card.
2wcffba.jpg

IP Address: 64.119.39.123
Location: UNITED STATES, ARIZONA, TUCSON
Latitude & Longitude: 32.044150, -110.734770
Connection: PRIVATE CUSTOMER
Net Speed: (COMP) Company/T1
IDD & Area Code: 520
ZIP Code: 85747
Weather Station: TUCSON (USAZ0247)

September 22nd, 2013, 15:52
URL: http://ccc.gs/topic/2405-razdacha-dedikov/
2zp4aqb.png
IP Address: 38.82.206.34
Location: UNITED STATES, CALIFORNIA, VALENCIA
Latitude & Longitude: 34.406069, -118.535302
Connection: TCAST COMMUNICATIONS INC
Domain: COGENTCO.COM
Net Speed (DSL): Broadband/Cable
IDD & Area Code: 661
ZIP Code: 91355
Weather Station: STEVENSON RANCH (USCA1095)

"Most of the victims are department stores. More BlackPOS infections, as well as new breaches can appear very soon, retailers and security community should be prepared for them", commented Andrew Komarov, IntelCrawler CEO.

About IntelCrawler

IntelCrawler.com is a multi-tier intelligence aggregator, which gathers information and cyber prints from a starting big data pool of over 3, 000, 000, 000 IPv4 and over 200, 000, 000 domain names, which are scanned for analytics and dissemination to drill down to a desired result. This finite pool of cyber prints is then narrowed further by comparing it to various databases and forum intelligence gathered from the underground and networked security company contacts. The final result could be the location of a particular keyboard or a computer housing the threat.
http://intelcrawler.com/about/press08

Link to comment
Share on other sites

  • Replies 1
  • Created
  • Last Reply

Top Posters In This Topic

  • Blackchildcx

    1

  • Turk

    1

Popular Days

Top Posters In This Topic

crazy...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...