Free Subscription

  • Access 15 free news articles each month

Professional

Try one month for $5
  • Unlimited access to news,insights and opinions
  • Quarterly and weekly magazines
  • Independent research reports and forecasts
  • Quarterly webinars with industry experts
  • Q&A with retail leaders
  • Career advice
  • Exclusive Masterclass access. Part of Retail Week 2021

Stolen customer data sold online

 

Target USOne year after thieves infiltrated Target’s cash registers in the US, a website is openly selling millions of credit and debit card numbers stolen in that data breach and many others.

Anyone can log on to the site, rescator.cc, and shop for cards by postcode.

This illegal marketplace is the most glaring reminder that no one has been brought to justice in the theft of Target customer data.

US federal authorities declined to say anything about their investigation, which is being led by the Secret Service.

Yet cybersecurity professionals have pointed to one person they believe is linked to the stolen card website – a Ukrainian hacker named Andrey Hodirevski.

Brian Krebs is the blogger who broke the Target breach story and first named Hodirevski a year ago.

“He may not be rescator, but it’s pretty clear that he knows the people who are and probably is in touch with them,” Krebs said.

Two other security pros say Hodirevski almost certainly has a hand in running the site.

Dmitry Volkov, head of investigations at Russian computer security company Group-IB, said that Hodirevski goes by the nickname “rescator” and has for several years been on his company’s radar as a carder, or dealer in stolen payment card information.

He said Hodirevski was a main member of DarkLife, a defunct Russian language hack team.

“He has a high reputation and credibility among other carders and hackers,” Volkov said.

“He is not just another carder.”

Mark Lanterman, a former member of the Secret Service Electronic Crimes Task Force, and now chief technology officer at Computer Forensic Services in Minnetonka, Minnesota, said the evidence points to Hodirevski.

“It’s circumstantial, but there’s a lot of it,” Lanterman said.

“His website is up and active and going stronger than ever, which is disappointing.”

Hodirevski has not spoken out publicly, despite his name and photos having been publicised in cybersecurity reports, and magazines such as Bloomberg Businessweek.

One Ukrainian familiar with him said Hodirevski is living in a flat in Odessa with his grandmother following a previous hacking arrest, and he is being monitored by the Security Service of Ukraine.

In a conference room at his Minnetonka offices, Lanterman logs in to rescator.cc.

Over the past year, he’s found information on the site from tens of thousands of cards stolen from Target stores.

The shop operates in the open now, he said.

Lanterman believes that rescator sells the software that hackers have used to break into retailers’ point of sale computers.

Then buyers customise it for victims such as Target, and others install it and do the rest of the dirty work, and give rescator the stolen card information to sell.

From his house in the US, blogger Krebs tracks organised cybercrime groups, particularly those in eastern Europe.

Krebs became a minor celebrity after breaking the news of Target’s breach last year and then following a trail of digital bread crumbs, such as usernames from rescator, to Hodirevski.

Krebs blogged on Krebsonsecurity.com that rescator is a leading member of Lampeduza, a ring of card thieves organised in a hierarchy modelled on ancient Rome, using aliases such as Flavius and Octavius.

(The name rescator, however, likely refers to the pirate character by that name in the 1967 French adventure film Untamable Angelique).

Krebs linked rescator to the online alias Helkern or “hel”.

The domain Helkern used was first registered to Andrey Hodirevski from Illichivsk, a seaport just down the Black Sea coast from Odessa.

Krebs said the cybergangs that hit Target and Home Depot are “a diverse group of folks probably across several time zones in Russia and eastern Europe”.

Whoever is running the rescator website is not just selling cards, but also appears to play an active role in stealing them because the information continues to show up in their online stores first, Krebs said.

Plus, the word “rescator” appears in a text string used with the malicious software used in the Target attack.

A recent report by Group-IB examined the Russian language carding market and said rescator not only runs his own shops but supplied information from more than 5 million cards stolen from Target to a popular online crime shop called Swiped1.su.

Group-IB estimated that the 151,720 cards rescator sold there from December 2013 to February 2014 earned rescator about $US1 million ($A1.08 million).

TNS

You have 7 free articles.