It also said he views kindness and honesty as important in other people, and that his political views are apathetic.
Target hit ‘carefully planned’
Brian Krebs, the security blogger who broke the news of Target’s huge holiday breach at KrebsonSecurity.com, said in an interview that he, too, thinks Shabayev co-authored the original malware. But he said there are likely several layers between Shabayev and whoever carried out the intricate and customized attack on Target.
“I would imagine there’s an entire group of individuals that carefully planned this attack against Target and very probably used other victim organizations they broke into through 2013 as sort of test cases,” Krebs said.
Krebs said Shabayev’s attitude toward writing the code is typical of malware authors he has interviewed.
“They have an agnostic view of code,” Krebs said. “They’re freelancers. It’s just ones and zeros. It can’t be good or evil. That seems to be the view of a lot of guys that code malicious software.”
Krebs said that he has not yet looked for links between Shabayev and the person nicknamed Rescator who has been hawking stolen card information from Target in underground card shops. Krebs suspects Rescator also uses the name Helkern online and is a leading member of a highly structured underground forum called Lampeduza. Krebs said he has identified a man in Illichivisk, a city in the Odessa province of Ukraine, that he suspects is Rescator/Helkern.
Krebs told the Star Tribune he suspects Rescator is not just hawking stolen cards but played a central role in the Target hit itself.
Clements, at IntelCrawler, said he is not aware of a link between the two men.
Clements said Shabayev used the nickname Ree in underground hangouts and was selling the BlackPOS malware for about $2,000. He worked closely with Sergey Taraspov, a teenager acting as his technical support. At first IntelCrawler identified Taraspov as the malware’s co-author, but then said it was Shabayev.
The Secret Service declined to comment on Shabayev.
IntelCrawler is not the only organization that has tracked Shabayev.
Malware called fairly basic
Dmitri Alperovitch, co-founder of Irvine, Calif.-based CrowdStrike, said his firm has been carefully tracking cybercriminals in Eastern Europe, Russia and elsewhere for retail clients. Shabayev has been “very active” selling the BlackPOS memory scraper malware for about a year, he said. He described the original BlackPOS malware as fairly basic.
“A first-year computer science student in college could have written this,” he said.
Alperovitch said he didn’t believe Shabayev’s assertions that the program he co-authored was innocent and intended for defending computer systems.
“He’s been actually selling the software for $2,000 in the underground specially for committing theft from retailers,” Alperovitch said. “That’s the only purpose of this tool.”
As for the card seller Rescator, Alperovitch, too, suspects that Rescator is a Ukrainian man from Odessa.