As previously reported, the breach appears to have been carried out using an off-the-shelf malware known as BlackPOS – which may have also been involved in the Neiman Marcus attack.
The teen – thought to be 17 years old – created the PoS skimmer, and has had good success selling it to cybercriminals worldwide, according to an investigation by IntelCrawler. The first sample of BlackPOS was created in March 2013.
According to operative information from IntelCrawler, the distributor of the malware is Rinat Shibaev, working closely with someone named Sergey Taraspov, who acts as technical support together with several other members of a cybercrime collective with roots in St. Petersburg, Russia. These are “very well-known programmers of malicious code in the underground,” the firm said.
"He is still visible for us, but the real bad actors responsible for the past attacks on retailers such as Target and Neiman Marcus were just his customers,” said Dan Clements, IntelCrawler president.
The first infected PoS environments by BlackPOS were in Australia, Canada and the US, IntelCrawler noted. At that time, the first name of the malware was "Kaptoxa,” which means potato in Russian slang. Its availability dovetailed with large-scale RDP brute-forcing attacks on PoS terminals across those countries, using weak passwords.
The malware was then renamed in the underground forums where it was sold. And sell it has: the teen and his cronies have sold more than 40 builds of BlackPOS to cybercriminals from Eastern Europe and other countries, including the owners of underground credit cards shops such as ".rescator," "Track2.name," "Privateservices.biz" and many others, IntelCrawler uncovered.
The researchers have also confirmed that several copies of BlackPOS/Kaptoxa were sold in the form of source code, and, some experienced cybercriminals requested individual modifications.
iSIGHT Partners, working with the US Secret Service, independently corroborated the findings, determining that Kaptoxa has potentially infected a large number of retail information systems.
"Most of the victims are department stores,” said Andrew Komarov, IntelCrawler CEO. “More BlackPOS infections, as well as new breaches can appear very soon, [and] retailers and [the] security community should be prepared for them.”