Version of Target Malware Linked to Russia

Target malwareSecurity experts believe the malicious software that infected Target Corp. as in part the work of a 23-year-old in southern Russia who counted punk rock as a hobby.

Source: Source: WSJ | Published on January 23, 2014

Rinat Shabaev, who lives in southern Russia, offered to sell copies of a version of the computer virus used against Target for $2,000 apiece, according to three security researchers who track Russia-linked cybercrime.

The researchers said they traced an earlier version of the software to Mr. Shabaev via digital footprints, including a user name-Ree4-that was associated with listings to sell the software, as well as an email address on Mr. Shabaev's page on VK, the Russian equivalent of Facebook.

Mr. Shabaev hasn't been accused of any wrongdoing, and writing such software isn't in itself illegal. He discussed his role in the software Tuesday in a video interview on Lifenews.ru, a Russian news site. He said in the video he didn't invent the software, which skimmed credit and debit card data when entered at cash registers. But he said he did write an extension that enabled the program to save credit-card data and stash it on a server-an improvement security experts say helped the program to work undetected at Target.

The young Russian said he wrote the program to make money by selling it, saying it could be used for benign purposes like finding vulnerabilities in computer systems. He said he had nothing to do with how it was ultimately used.

"If you use this program with ill intentions, you can make pretty good money, but that's illegal," he said in the video. "That's why I didn't want to use it. I just wrote it for sale. Let other people use it so it's on their conscience."

Attempts to reach Mr. Shabaev by email, at his page or via friends on VK, and through his former university were unsuccessful.

Researchers sometimes write such software to find holes in computer systems, a practice called "penetration testing" that is employed by major American companies. In the U.S., it is a crime only if the author uses or threatens to use the software to gain unauthorized access to a protected computer, or conspires with someone who does, said Cindy Cohn, legal director of the Electronic Frontier Foundation.

A spokesman for the Secret Service, which is investigating the attack at Target that compromised 40 million credit and debit card accounts over the holidays, declined to comment.

The origins of the software underscore how code can be written in far-flung corners of the globe and sold cheaply in the black markets of the Internet, only to emerge later as a giant headache for major companies. Still to be uncovered, however, is how the hack at Target took place and who carried it out.

Some security firms dubbed the software Kaptoxa when it appeared on hacker forums early last year. Analysts at iSight Partners Inc., which is working with the Department of Homeland Security and Secret Service on the Target intrusion, said the program would seek out payment programs and grab card data when it moved unencrypted through the system's memory. The malware would then stash the data on another compromised server inside the victim's network before transferring it to other servers outside.

Engels Technological Institute of Saratov State Technical University in southern Russia said Mr. Shabaev had been a student.

The young Russian did a separate interview that was posted late Tuesday. "I found out that I was being accused or suspected of something via the Internet," the Russian paper Komsomolskaya Pravda quoted Mr. Shabaev as saying. "Honestly, I was very surprised. I have heard about the Kaptoxa virus, but I don't have anything to do with it. Why such glory has been attributed namely to me, I don't know."

According to the newspaper, Mr. Shabaev said he wrote a plug-in for the program that saves data to a file and deposits it on a server. He said he never planned to use the program but rather wrote it to sell it.

On Wednesday, a trade group said credit unions have spent as much as $30 million dealing with the impact of the Target breach, largely to replace cards. Fraud losses would be on top of those costs, according to the survey by the Credit Union National Association.

Banks including J.P. Morgan Chase & Co. and Citigroup Inc. also have spent millions of dollars replacing cards affected in the breach.

Target said the breach, which ran from Nov. 27 to Dec. 15, scared off customers, pushing its sales below year-earlier levels during the key holiday shopping season. Earlier this month, the retailer cut by 20% its outlook for per-share profit in the U.S.

Mr. Shabaev appears to have hobbies other than coding. According to his and other VK accounts, he plays in a band called "Clever Fools."