A 17-year-old from Russia created the malicious software that allowed shoppers' data from Target and Neiman Marcus to be stolen, a California-based security firm says, and the hackers' attacks haven't yet ended.
The teen was identified in a
blog post from IntelCrawler as being a 17-year-old Russian national from St. Petersburg,
reports The New York Daily News. He wasn't directly responsible for the two major retailers' security breaches, but did sell his software throughout Eastern Europe, says IntelCrawler CEO Andrew Komarov.
Target and Neiman Marcus' accounts were hacked after the malware, called "BlackPOS" used several easy passwords to hack stores' registers remotely.
In the Target case, security was breached following Black Friday and affected up to 110 million customers who used credit or debit cards.
Target says names, mailing addresses, telephone numbers and email addresses were taken in the attack
. It is offering its customers free credit monitoring and store credit in response to the incident.
But Target may have lost many of its customers' trust through the attacks. The company last week sent an email to offer a year's worth of free credit monitoring and identity theft through Experian, but many customers believe the email is a hoax.
"[The email] is an official communication," a Target spokesperson told The Huffington Post
in an email Saturday.
The offer was also mentioned in an open letter from CEO Gregg Steinhafel, but customers remain wary.
“I won't put my Social Security number in. They try to help you, but they're asking for more information," one customer, Pam Kassner,
told Reuters.
The company has set up a site, Target.com so customers can view official communication regarding the data breach.
Meanwhile, Steinhafel says the credit card systems at Target, the country's third-largest retailer, are now secure, and there is no evidence any other guest information was removed.
Neiman Marcus CEO Karen Katz said the company is "very sorry" about the breach and said the luxury retailer wants "you always to feel confident shopping" at the store. However, the company has not revealed how many shoppers were affected or what data was stolen.
Komarov, though, said that the discoveries at Target and Neiman Marcus are just the beginning. There are at least six ongoing attacks on U.S. retailers using online credit card processing, he said.
In its blog, IntelCrawler reports that the first sample of the BlackPOS malware was created in March 2013, and stores in Australia, Canada, and the United States were the first to be hit.
According to Komarov, the 17-year-old hacker traded his malware for $2,000 or for a 50 percent share from the sales of all intercepted credit cards.
This wasn't the first time the teen created malware for "brute force attacks," says IntelCrawler. The teen also created malware to hack into social networks and for distributed denial of service (DDoS) attacks, in which incoming traffic floods a victim from many different sources, making it impossible to stop an attack by blocking a single IP address.
"Most of the victims are department stores," said Komarov. "More BlackPOS infections, as well as new breaches can appear very soon. Retailers and security community should be prepared for them."