On Dec. 18, 2013, KrebsOnSecurity broke the news that U.S. retail giant Target was battling a wide-ranging computer intrusion that compromised more than 40 million customer payment cards over the previous month.
Ten years later, KrebsOnSecurity has uncovered new clues about the real-life identity of Rescator.
Rescator, advertising a new batch of cards stolen in a 2014 breach at P.F. Chang's.
Shortly after breaking the Target story, KrebsOnSecurity reported that Rescator appeared to be a hacker from Ukraine.
It may be helpful to first recap why Rescator is thought to be so closely tied to the Target breach.
Investigators would later determine that a variant of the malware used in the Target breach was used in 2014 to steal 56 million payment cards from Home Depot customers.
Once again, cards stolen in the Home Depot breach were sold exclusively at Rescator's shops.
On Nov. 25, 2013, two days before Target said the breach officially began, Rescator could be seen in instant messages hiring another forum member to verify 400,000 payment cards that Rescator claimed were freshly stolen.
Prior to the Target breach, Rescator had mostly sold much smaller batches of stolen card and identity data, and the website allowed cybercriminals to automate the sending of fraudulent wire transfers to money mules based in Lviv, Ukraine.
FLASHBACK. The new clues about Rescator's identity came into focus when I revisited the reporting around an April 2013 story here that identified the author of the OSX Flashback Trojan, an early malware strain that quickly spread to more than 650,000 Mac computers worldwide in 2012.
The legitimate owner of that BlackSEO user cookie went by the nickname Ika, and Ika's private messages on the forum showed he was close friends with the Flashback author.
Pw - a closely-guarded Russian forum that counted among its members some of the world's most successful and established spammers and malware writers.
Unbeknownst to Ika at the time, his Pustota forum also had been completely hacked that week, and a copy of its database shared with this author.
A Google translated version of the farewell post from Ika, the administrator of Pustota, a Russian language cybercrime forum focused on botnets and spam.
Ika said the two individuals who tried to dox him did so on an even more guarded Russian language forum - DirectConnection[.
New applicants of this forum had to pay a non-refundable deposit, and receive vouches by three established cybercriminals already on the forum.
Even if one managed to steal a user's DirectConnection password, the login page could not be reached unless the visitor also possessed a special browser certificate that the forum administrator gave only to approved members.
R-fac1 told forum members that he was only looking to use those accounts to post harmless links and comments to the followers of the hacked profiles, and his post suggested he was testing something.
In 2013, Vrublevsky was sentenced to 2.5 years in a Russian penal colony for convincing one of his top spammers and botmasters to launch a distributed denial-of-service attack against a ChronoPay competitor that shut down the ticketing system for the state-owned Aeroflot airline.
KrebsOnSecurity sought comment on this research from the Federal Bureau of Investigation and the U.S. Secret Service, both of which have been involved in the Target breach investigation over the years.
This Cyber News was published on krebsonsecurity.com. Publication date: Thu, 14 Dec 2023 17:55:07 +0000