Foreign Gangs Top List of Target Data-Breach Suspects

A year after thieves infiltrated Target’s cash registers, a website openly sells millions of credit- and debit-card numbers stolen in that data breach and many others.

Anyone can log on to the site, rescator.cc, and shop for cards by ZIP code. This illegal marketplace is the most glaring reminder that no one has been brought to justice in the massive theft of Target customer data.

Federal authorities declined to say anything about their investigation, which is being led by the U.S. Secret Service. Yet cybersecurity professionals have named one person they believe is linked to the stolen card website: a Ukrainian hacker named Andrey Hodirevski.

Brian Krebs is the blogger who broke the Target breach story and first named Hodirevski a year ago. “He may not be rescator, but it’s pretty clear that he knows the people who are and probably is in touch with them,” Krebs said.

Two other security pros say Hodirevski almost certainly has a hand in running the site. Dmitry Volkov, head of investigations at Russian computer-security company Group-IB, said in an interview that Hodirevski goes by the nickname “rescator” and has for several years been on his company’s radar as a carder, or dealer in stolen payment-card info. He said Hodirevski was a main member of DarkLife, a defunct Russian-language hack team.

“He has a high reputation and credibility among other carders and hackers,” Volkov told the Star Tribune. “He is not just another carder.”

Mark Lanterman, a former member of the Secret Service Electronic Crimes Task Force and now chief technology officer at Computer Forensic Services in Minnetonka, said the evidence points to Hodirevski.

“It’s circumstantial, but there’s a lot of it,” Lanterman said. “His website is up and active and going stronger than ever, which is disappointing.”

ILLICIT MARKETPLACE

In a conference room at his Minnetonka, Minnesota, offices, Lanterman logs in to rescator.cc. Over the past year, he’s found information on the site from tens of thousands of cards stolen from Target stores linked to Minnesota ZIP codes. This fall, he found information from at least 12,000 cards stolen from Home Depot, all linked to Minnesota ZIP codes and selling for $9 to $52 each.

The shop operates in the open now, he said.

Lanterman believes that rescator sells the software that hackers have used to break into retailers’ point-of-sale computers. Then, buyers customize it for victims such as Target, and others install it and do the rest of the dirty work, and give rescator the stolen card information to sell.

Watching traffic on rescator.cc tests Lanterman’s patience.

“I get American law enforcement can’t just drive to Russia and pick him up and bring him back to the station. But he has an infrastructure, and I don’t know that enough has been done to disrupt it.”

TRACKING A HACKER

From his house in Annandale, Virginia, his shotgun nearby, blogger Krebs tracks organized cybercrime groups, particularly those in Eastern Europe.

Krebs became a minor celebrity after breaking the news of Target’s breach last year and then following a trail of digital bread crumbs, such as usernames from rescator, to Hodirevski.

Krebs blogged on Krebsonsecurity.com that rescator is a leading member of Lampeduza, a ring of card thieves organized in a hierarchy modeled on ancient Rome, using aliases such as Flavius and Octavius.

Krebs linked rescator to the online alias Helkern or “hel.” The domain Helkern was first registered to Andrey Hodirevski from Illichivsk, a seaport just down the Black Sea coast from Odessa.

OBSESSED WITH SECURITY

Odessa entrepreneur Alex Zhimalov told the Star Tribune he and Hodirevski became friends at a computer academy several years ago. Zhimalov, whose company designs web, desktop and mobile interfaces, said that he shared many interests with Hodirevski but that his friend was something of a mystery: a “dark horse,” secretive and obsessed with security, using encryption on all his devices and multiple fake accounts.

No one knew where he lived, Zhimalov said. You didn’t contact him – he contacted you.

Zhimalov, who emailed the Star Tribune pictures of Hodirevski taken in Odessa in 2012, was unaware of the controversy around his friend. He said he knew Hodirevski was hiding, but didn’t know why and was shocked when told that some people link him to the Target attack.

During their last year at the computer school, about two to three years ago, he said Hodirevski hacked “some government structure” and was arrested, but didn’t go to jail. Then he lost touch.

The structure Zhimalov referenced is likely a site that was hacked in 2011 for which a 19-year-old Ukrainian was arrested for stealing personal information of more than 190,000 users, according to information issued by the Security Service of Ukraine (USB) that year.

Hodirevski was the 19-year-old hacker, and he was sentenced to three years’ probation, said Dmitriy Kozin, the Forum’s co-owner.

Kozin said Hodirevski gained entry by guessing the password of a system administrator and stole emails. He was caught, Kozin said, because his effort to hide the actual address of his computer did not work.

Kozin said his understanding is that Hodirevski remains in an Odessa flat where he lives with his grandmother. The USB is “monitoring” him, he said.

Kozin said he thinks Hodirevski is “too lame to organize and rule” an attack on the scale of Target’s. It’s possible, he speculated, that authorities are using him to bait larger fish.

Meanwhile, Hodirevski’s carding reputation only grows. Sycophants on his bulletin boards think he’s the “end all,” Lanterman said.

“They seem to be singing his praises,” Lanterman said. “He must be thrilled with that.”

This article appeared in print in the December 1st, 2014 edition of Hamodia.