At least six U.S. retailers were under a massive cyberattack Friday, which employed the same software used late last year to steal credit-card data from some 40 million Target Inc. (NYSE:TGT) customers and personal data from another 70 million Target customers, said cybersecurity firm IntelCrawler.
Andrew Komarov, IntelCrawler’s chief executive, said his firm knows the identity of two of the companies but has not yet publicly disclosed their names. He has been working with law enforcement, Visa Inc. (NYSE:V), and intelligence teams from several banks to combat the cyberattack and identify the stores, as their names are not available through only the public IP addresses.
IntelCrawler’s discovery is the most recent evidence suggesting the cyberattacks of Target Inc. and Neiman Marcus may only be part of a larger attack.
In an email to the IBTimes, Komarov said a Canadian store was compromised in 2012 by the same type of malware, which means that the first variant of it was approbated there by the author, Sergey Taraspov, now about 17 years old. Taraspov has roots in St. Petersburg and is a well-known, underground programmer of malicious code. He has sold more then 40 builds of BlackPOS to cybercriminals from Eastern Europe and other countries, including the owners of underground credit cards shops such as ".rescator", "Track2.name", "Privateservices.biz" and many others.
"He is still visible for us, but the real bad actors responsible for the past attacks on retailers such as Target and Neiman Marcus were just his customers," Dan Clements, president of IntelCrawler, said in a statement.
InterCrawler began detecting large-scale cyber attacks on point-of-sale terminals across the U.S., Canada and Australia in early 2013. The company is not aware of any non-U.S. retailers now being attacked with BlackPOS software, Komarov said.
Retailers in California and New York were among those hacked with kARTOXA/BlackPOS, the software used in the attack on Target.
Security researchers at the Los Angeles-based IntelCrawler said the teen malware author created the first sample of the software in March 2013. Komarov issued the first report on this malware in the beginning of the spring, when he worked for another forensics company.
Komarov also said in an email to the IBTimes that there is evidence of more than six ongoing attacks, but that he cannot yet release more information.
"We will report with the first feedback and approval from [law enforcement authorities]," Komarov said.
IntelCrawler describes itself as a "a multi-tier intelligence aggregator, which gathers information and cyber prints from a starting big data pool of over 3,000,000,000 IPv4 and over 200,000,000 domain names, which are scanned for analytics and dissemination to drill down to a desired result."