As Target continues to investigate the massive data breach that has impacted as many as 110 million people, the security expert who first broke the story believes he has traced the culprits to Russia.
Security expert Brian Krebs has chronicled the details of the breach extensively via his blog, Krebs on Security. On Tuesday, he posted that the cyber crooks transmitted their payload of stolen customer data through a virtual private server (VPS) located in Russia.
Additionally, Krebs' coverage has often referenced a specific text string found in the malware samples -- "Rescator." Shortly after the data breach came to light, Rescator became the subject of another Krebs blog post focusing on who was selling the stolen credit and debit card data.
WHO IS RESCATOR?
Krebs believes he has traced the trail from Rescator to a particular young man in Ukraine who has been selling the malware on the black market for as little as $2,300. McAfee published its own blog post on Wednesday that also contained the Rescator moniker when looking into the two malware uploaders used in the Target breach.
That may be the needle in the digital haystack -- a simple line of code containing the name of a notorious Russian hacker.
"Russian malware is very aggressive, and because of that, they're very good," Mark Lanterman told Fox 9 News. "They don't' care if you find them because they're just developing malware."
Of course, it is possible that someone is using the Rescator name to throw authorities off their own trail, but Lanterman doubts it.
"My experience is hackers have egos and they want credit for their works of art," he said. "This software is near and dear to the author and he wants to be acknowledged as the author -- and my guess is, that truly is the author."
HOW THE MALWARE WORKS
A number of tech blogs covered the story on Thursday, laying out the details of how the malware, which is a so-called "RAM-scraper," worked. The information was collected directly from magnetic strips before it could be encrypted, but the wildest part is that it was sent to a server inside Target just six days later. That internal server uploaded 11 gigabytes of data over two weeks.
"Either this is yet another breach because the server was controlled by the hacker, or perhaps this was an inside job," Lanterman speculated.
An analysis posted on Seculert appears to confirm Krebs' cyber sleuthing, explaining that the stolen data went through the FTP server of an apparently-hijacked website. Those transmissions reportedly occurred several times a day over a two week period, beginning on Dec. 2.
QUESTIONING TARGET'S DISCOVERY TIMELINE
Target has fielded a lot of criticism over its disclosures regarding the breach, with many complaining the company waited too long to disclose. Unfortunately for the Minneapolis-based retailer, Krebs believes new details will only make those cries grow louder.
Several security experts searched for a domain within Target's infrastructure using Virustotal.com, which pits more than 40 antivirus tools against suspicious files submitted by users. In doing so, they found several related files dated on Dec. 11. It is widely believed that the malware was custom-made for the intrusion at Target, and that leads Krebs to question whether a company employee or security contractor working on the company's behalf noticed the malware on Dec. 11.
Target CEO Gregg Steinhafel made his first television interview about the breach on CNBC on Monday, but the timeline he set out -- which puts the confirmation of an "issue" on Dec. 15 -- did not explain when the company first began to suspect their systems had been compromised.
To this day, no antivirus product available on the market is able to detect the malicious files used in the attack, according to Krebs.