Security experts at IntelCrawler provided a new interesting update on BlackPOS malware author, that he forgot to delete his Social networking profile even after the last exposure from the investigators.
As we have reported a few days before that the Intelligence firm IntelCrawler has identified a 17 year old teenager, known as "Ree [4]" in the underground market, as the author of the BlackPOS/Kaptoxa malware used in the attack against Target and Neiman Marcus retailers.
The teenager is not directly responsible for the Target attack, but he sold the BlackPOS to other Cyber Gangs, including the admin's of underground credit cards market places, ".rescator", "Track2.name", "Privateservices.biz" and many others were his clients.
Who is Ree[4]?
IntelCrawler exposed REE[4]'s original profile as Sergey Taraspov, a 17 year old Russian programmer, based in St.Petersburg and Nizhniy Novgorod (Russian Federation).
Before both breaches IntelCrawler detected large-scale RDP brute-forcing attacks on Point-of-Sales terminals across the US, Australia and Canada started at the beginning of 2013 year in winter period with weak passwords such as:
"pos":"pos";
"micros":"micros" (MICROS Systems, Inc. - Point-of-Sale Hardware);
"edc":"123456" (EDC - Electronic Draft Capture).
After the last report from 'IntelCrawler' team, we have noticed the reaction from few security researchers, making doubts about the investigation and details about Ree[4]'s profile.
Today we have another exclusive update and more evidences from Security researchers at IntelCrawler on the author of BlackPOS. The author of BlackPOS is the bad actor with nickname "ree4" or "ree[4]", he started to sell this malware on one of underground forums called "Exploit.in", as the following screenshot suggests:
Today we have another exclusive update and more evidences from Security researchers at IntelCrawler on the author of BlackPOS. The author of BlackPOS is the bad actor with nickname "ree4" or "ree[4]", he started to sell this malware on one of underground forums called "Exploit.in", as the following screenshot suggests:
Despite the author of BlackPOS malware is a cyber expert, it seems that he has ignored the power of social networking platform, and the possibility to use them for OSINT (Open-source intelligence) purposes.
Popular Russian Social networking website called 'VKontakte' has a profile with the same nickname as BlackPOS's author. Obviously this is not a body of evidence.
To collect more evidences, the researchers at IntelCrawler noted that one of the interest mentioned on that profile is "coding", and they have also matched the email address of the profile through password recovery option by email:
Popular Russian Social networking website called 'VKontakte' has a profile with the same nickname as BlackPOS's author. Obviously this is not a body of evidence.
To collect more evidences, the researchers at IntelCrawler noted that one of the interest mentioned on that profile is "coding", and they have also matched the email address of the profile through password recovery option by email:
According to operative information from IntelCrawler, the person behind the nickname "ree[4]" is Rinat Shibaev, working closely with Sergey Taraspov, who was acting as his technical support, having roots in St.Petersburg (Russian Federation), very well known coder of malicious code in the underground community.
Let's wait for new updates from Andrew Komarov, Dan Clements and the experts at IntelCrawler.