Title: BlackPOS Malware Developer Linked to Target Data Breach
Recent investigations have uncovered that the data breach at Target during the holiday season was part of a much larger, complex international hacking operation. This campaign is believed to have compromised approximately 110 million credit and debit card accounts, alongside a significant amount of customer personal information.
Target confirmed that malicious software had been integrated into its point-of-sale (POS) systems, allowing attackers to gather sensitive data at the moment of transaction. The malware, known as BlackPOS—also referred to as Reedum and Kaptoxa—was designed specifically to extract credit card information before it was encrypted during the checkout process. BlackPOS was developed in March 2013 and is available on underground markets, priced between $1,800 and $2,000.
IntelCrawler’s investigation led to the identification of Sergey Taraspov, a 17-year-old hacker who created the BlackPOS malware. Operating under the alias “ree4,” Taraspov has reportedly sold over 40 versions of this crimeware toolkit to cybercriminals across Eastern Europe and beyond. Notably, he hails from St. Petersburg and Nizhniy Novgorod in the Russian Federation. This raised alarming concerns regarding the involvement of affiliates and customers who may have exploited Taraspov’s toolkit, leading to the Target breach.
BlackPOS is classified as RAM-scraping malware, written entirely in VBScript. Its primary function is to monitor the RAM of POS machines to capture credit card numbers immediately after they are swiped. In December, shortly after the breach was detected, the cybersecurity firm Symantec identified the malware and categorized it as part of their Infostealer suite, highlighting its sophistication and capability.
This breach illustrates clear tactics as outlined in the MITRE ATT&CK framework. Initial access to Target’s systems may have been facilitated through compromised credentials or phishing schemes, while persistence could have been achieved by leveraging the malware integrated into the POS systems to maintain access. Furthermore, techniques for privilege escalation may have been employed to gain deeper access to the network infrastructure.
Despite the identification of Taraspov, IntelCrawler has refrained from specifically implicating him in the Target attack. Analysts noted that while he remains a visible figure in the cybercriminal landscape, the actual perpetrators of the breach are likely among his client base, utilizing his malware for nefarious activities.
This incident not only emphasizes the need for retailers to strengthen their cybersecurity measures but also highlights the persistent threat posed by underground malware developments and the individuals behind them. Business owners must remain vigilant, regularly update their security protocols, and educate their employees about cyber threats to mitigate the risks highlighted by this breach.