Thursday, 26 December 2013

Is this Ukrainian helping to sell millions of stolen Target credit card numbers online?

The web security blogger who broke the news about the massive Target credit and debit card breach has identified a Ukrainian national who allegedly has been selling some of the stolen data on an online black market.

In an article published this week on his site KrebsOnSecurity, blogger Brian Krebs laid out all the facts he has managed to gather about the suspected hacker, whom he identified as Andrey 'Andrew' Hodirevski.
According to Krebs, Hodirevski, who goes by the user name 'Helkern' or 'Hel,' runs one of the premier underground 'card shops' on the web offering hacked credit cards numbers for sale.
Rescator.la reportedly has been doing brisk business unloading millions of credit card numbers that had been stolen from Target customers across the country from mid-November to mid-December.
Krebs also has managed to unearth a pair of photos allegedly portraying Hodirevski, including a selfie showing a dark-haired, clean-shaven man in his 20s.
Another image, which was originally posted on a Russian hacking forum by Hodirevki's rivals, depicts a man identified as 'Helkern' emerging from a beat-up Range Rover painted with a Swastika, a star and the word 'peace' in Russian.  
The blogger was careful to point out that there is no evidence to suggest that Hodirevksi was behind the cyberheist that pulled 40million credit and debit card accounts from Targets' cash registers nationwide.
Payback: This image of allegedly portraying Hodirevski, who goes by the user name 'Helkern', was posted online by rival hackers
Payback: This image of allegedly portraying Hodirevski, who goes by the user name 'Helkern', was posted online by rival hackers
Instead, Hodirevski/Helkern is suspected of selling numbers on his shadowy portal, Rescator.la, for as much as $100 a pop.
Rescator is only one of several underground 'card shops' where the stolen data has been showing up, including Kaddafi.hk and cheapdumps.org.
Krebs revealed that a day before publishing his expose, he had a brief online chat with the elusive Mr Hodirevski, this time using the moniker kaddafi.me, who offered him $10,000 not to run the story.
'I have no idea if Rescator/Helkern/Andrew was involved in hacking Target, but it’s a good bet that he at least knows who was,' Krebs wrote.  
As part of his extensive investigation, Mr Krebs scoured the darkest corners of the internet, as well some more mainstream social media sites, in search of information about the Ukrainian computer whiz.
Shadowy figure: Krebs discovered that a user dubbed Helkern was one of three founders of the now-defunct hacking forum darklife.ws
Shadowy figure: Krebs discovered that a user dubbed Helkern was one of three founders of the now-defunct hacking forum darklife.ws
Priorities: A profile from 2010 for Hodirevski included a list of goals he had in life, among them marrying his girlfriend, buying a $20,000 Toyota Solara, moving to Helsinki and 'world domination'
Priorities: A profile from 2010 for Hodirevski included a list of goals he had in life, among them marrying his girlfriend, buying a $20,000 Toyota Solara, moving to Helsinki and 'world domination'

The web security expert explained that it all started when he came across the user name Rescator and was able to link him to the person running the eponymous online black market that has been known to sell stolen Target accounts. 
The data theft, unprecedented in its scale, took place over a 19-day period that began the day before Thanksgiving. Target said that it identified and resolved the issue on December 15.
It is thought hackers obtained the data by remotely installing software on 40,000 credit card machines in nearly all of Target's 1,797 stores nationwide.
After doing some research, Krebs found a comment posted by Rescator two years earlier bragging that he was 'Hel,' one of the three founders of the now defunct hacker forum darklife.ws.
The trail then led Krebs to another Russian hacking forum, Cih.ms, which had been breached in 2009 by a rival group of hackers from darklife.
In retaliation, the founders of Cih unmasked the people responsible for the hack, posting their photos and other personal information, including phone numbers, addresses and instant messaging logins.
Among the half-dozen young men identified as the rogue hackers, a user by the name 'Helkern' was mockingly described as 'the man of the hour.'
It was supposedly the illusive 'Helkern' pictured posing in front of a mirror and next to a defaced Range rover. 
Breach: It is thought hackers obtained credit and debit card data by remotely installing software on 40,000 credit card machines in nearly all of Target's 1,797 stores nationwide
Breach: It is thought hackers obtained credit and debit card data by remotely installing software on 40,000 credit card machines in nearly all of Target's 1,797 stores nationwide

Krebs went to work collecting kernels of information about 'Helkern' online and came up with an instant messaging name, email address and several posts that linked the hacker to a town near Odessa, Ukraine.
More sleuthing uncovered that Helkern's web address was registered to an Andrey Hodirevski.
A LinkedIn profile for an Andrew Hodirevski, believed to be the same person, describes his profession as a web developer and administrator for the now-defunct hosting site called Ghost.ua based out of Ukraine.
Brian Krebs also came upon a profile from 2010 for Hodirevski, in which the young man listed his goals in life: marrying his girlfriend, buying a $20,000 Toyota Solara, moving to Helsinki and ‘world domination.’
'Will probably have to rob all banks in the word,' the user wrote.


SOURCE-DAILYM

No comments:

Post a Comment