Andrew Komarov, chief executive of the cybersecurity firm
IntelCrawler, told Reuters that his company has alerted law
enforcement, Visa Inc and intelligence teams at several large banks
about the findings. He said payment card data was stolen in the
attacks, though he didn't know how much.
IntelCrawler's findings are the latest sign that the cyberattacks
disclosed by Target Inc and upscale department store Neiman Marcus
are part of a wider assault on U.S. retailer customer data security.
On Thursday, the U.S. government and the private security
intelligence firm iSIGHT Partners warned merchants and financial
services firms that the BlackPOS software used against No. 3 U.S.
retailer Target had been used in a string of other breaches at
retailers — but did not say how many or identify the victims.
Credit card companies, banks and retailers say that victims of any
fraud resulting from the theft of their payment card data bear "zero
liability" and will be credited for fraudulent purchases made on
"Our rules say five days, but most consumers get (their money) back
within 24 hours," Visa spokeswoman Rosetta Jones said.
Yet consumer advocates said that any debit card fraud could result
in money being drained from a bank, mutual fund or other cash
account at a time when those funds were really needed.
"Even if you are able to recover the money later, that's going to
cause you an awful lot of pain and heartburn," said Jamie Court,
president of Consumer Watchdog, a nonprofit advocacy group.
Data breaches can also be costly for the retailers and credit card
firms affected, along with the companies that process the payments,
people who have reviewed past attacks say.
Komarov, an expert on cybercrime who has helped law enforcement
investigate previous attacks, told Reuters on Friday that retailers
in California and New York were among those compromised by BlackPOS.
Reuters was unable to confirm their names.
Komarov said he has not directly contacted those merchants. Security
experts typically report cybercrimes through law enforcement rather
than going directly to victims because the process can be
time-consuming and victims are often suspicious when they first
learn of attacks.
BlackPOS was developed by a hacker whose nickname is "Ree4" and who
is now about 17 years old and living in St. Petersburg, Russia,
according to Los Angeles-based IntelCrawler.
The teenager sold the malicious software to cybercriminals who then
launched attacks on merchants, said Komarov, who has been monitoring
Ree4's activities since March.
Komarov declined to specifically identify the sources of his
intelligence, though he said he has been monitoring criminal forums
where Ree4 sells his software and posted an excerpt of a chat with a
client on the IntelCrawler website.
[to top of second column]
Officials with the Russian Interior Ministry could not be reached
for comment when Reuters attempted to contact them after office
hours on Friday.
The bulk of the attacks have occurred in the United States, but
about 30 percent have occurred in other countries, including
Australia and Canada, Komarov said.
Target last month disclosed the theft of some 40 million payment
card numbers in a breach uncovered over the holiday shopping season,
and later reported that 70 million customers' records had also been
Neiman Marcus last week said that it too was victim of a cyberattack.
Sources have told Reuters that at least three other well-known
national retailers have been attacked.
John Watters, chief executive of iSIGHT Partners, which is helping
the U.S. Secret Service with its investigation into the attacks,
said that he expects the pace of assaults on merchants to pick up.
Copycats will pile on, using similar software, which can be
purchased on underground forums, and similar techniques to launch
attacks on retailers, he said. "They are saying: 'This is a great
BlackPOS is a type of RAM scraper, or memory-parsing software, which
enables cybercriminals to grab encrypted data by capturing it when
it travels through the live memory of a computer, where it appears
in plain text.
It is derived from code that has been floating around underground
cybercrime forums since at least 2005 and may be related to
malicious software used in attacks as early as 2003, said Shane
Shook, an executive with cybersecurity firm Cylance Inc who has
helped investigate major breaches at retailers.
While the technology has been around for many years, its use has
increased as retailers have improved their security, making it more
difficult for hackers to obtain credit card data using other
It succeeded in evading detection by anti-virus software when it
infected the Windows-based point-of-sales terminals at retailers
like Target, according to the report that the government privately
distributed to merchants on Thursday, which iSIGHT Partners helped
Officials with the Secret Service could not immediately be reached
(Additional reporting by Richard
Valdmanis, Lisa Baertlein, Mark Hosenball, David Henry and Megan
Davis; editing by Richard Valdmanis, Chizu Nomiyama and Jonathan
[© 2014 Thomson Reuters. All rights
Copyright 2014 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.