In this period further information has emerged regarding a large scale breach of customer data at Target. The Minneapolis-based chain has had the credit and debit card details, names, addresses, email addresses, and phone numbers of up to 70 million customers stolen. The breach occurred when a form of malware known as Kaptoxa (actually in Cyrillic and pronounced Kar-toe-ha, from the Russian for ‘potato’) was downloaded to the store’s POS systems (point of sale, referring to the hardware and software that manages card transactions at checkouts) from a central server. The ‘memory scraping’ malware accessed data briefly stored in the POS memory after cards were swiped, sending it to a server within Target’s network. These details were later manually transferred to a Russian-based server and subsequently offered for sale on specialised ‘carding’ forums used to facilitate credit-based fraud.
Kaptoxa is a variant of a previous form of malware known as BlackPOS, which uses the POSRAM Trojan to access and glean data from the POS systems. Variations of BlackPOS were also reportedly used in several smaller-scale operations throughout 2013, suggesting potential trial runs before the larger and more lucrative Target breach. A significant adaptation for Kaptoxa made it fully undetectable (‘FUD’, in the criminal vernacular) to firewalls and antivirus programs, facilitating its spread throughout Target’s network. This particular theft of 11GB of data is thought to have lasted from November 27 to the announcement of its discovery on December 15. However, samples of Kaptoxa were reportedly submitted for online analysis as early as December 11, demonstrating both ...........
Though the authors of such malware are often able to maintain their anonymity, evidence on social media traced responsibility back to a 16 year old Russian, Sergey Taraspov. However, it appears that Taraspov, possibly along with other Russian and Ukrainian coders, acted in a technical support role to Rinat Shibaev, a 23 year old from St. Petersburg. Demonstrating an increasing trend of collusion between coders and criminal groups, Shibaev is then thought to have sold the malware to as many as 60 buyers for a reported fee of USD 2,300. These anonymised transactions further complicate the law enforcement response of such incidents – an already problematic situation due to the tendency of Russian authorities to disregard operations that don’t affect domestic businesses.
Though CVV numbers (the three digit code on the reverse of the card that is required for most online purchases) were not included in the data, the card details have been in high demand on carding forums such as Lampeduza.net and Rescator.la, selling for between USD 20-100. The administrator of the latter, the user ‘Rescator’, advertised one dump named ‘Tortuga’, offering a money back guarantee for purchases of cards that had been cancelled due to the detection of fraudulent activity. This illustrates the increasing tendency towards ‘customer service’ on such forums, initially assessed in our coverage of ransomware trends on 21 November 2013. Tortuga cards also included the zip code, state, and city from which the details were stolen, allowing the purchaser to adapt their behaviour to avoid alerting the cards issuer of suspicious activity. Cloned cards are likely to be used in stores to buy high value goods – such as games consoles and gift cards – and increasingly to purchase virtually untraceable online currencies, such as Bitcoin.
Criminal groups have reportedly also targeted four mid-sized department stores in Arizona, Colorado, California, and New York, as well as two smaller Los Angeles-based clothing companies, so further information regarding these targets is likely to follow in the ensuing period. Such coverage may strengthen the case for the adoption of enhanced counter-fraud features used by UK retailers – such as Chip and PIN – which reduce the risk of a similar issue directly affecting British customers. However, the sophistication of the criminal operation and continued ability to adapt to and overcome conventional security measures pose cause for concern, while the increasing tendency for malware authors to advertise their ‘products’ is also likely to continue. Such an approach may increase the attention they receive from law enforcement and potentially prevent the proliferation of certain strains of malware – as appears to be have the case with Prison Locker, covered in the 9 January Monitor. Despite this, it increases the availability of criminal tools to a wider audience while furthering the degree of anonymity for the actual perpetrators, meaning that refined marketing strategies are likely to ensue in the coming months.