St Petersburg-based teenager developed malware used in US retail cyber attacks

UK retailers warned: Retail malware "sold to more than 60 East European crime gangs"

A Russian teenager was behind the cyber attacks on eight US retailers, including big names Target and Neiman Marcus, according to cyber intelligence company IntelCrawler.

The 17-year-old goes by the name of "ree4" and, according to the organisation, is the author of the point-of-sale malware used in the attacks. The malware designed by the St Petersburg, Russia 17-year-old, called "BlackPOS", has been sold to more than 60 cyber-crime gangs across Eastern Europe.

The tools will therefore almost certainly be deployed against retailers across the European Union - if it hasn't already.

The hacker has already been identified by a number of other malware tools, including "Ree4 mail brute", but does not seem to have been involved in the attacks against US retailers.

Neiman Marcus, according to the Washington Post, was broken into via easily guessable default passwords on the credit card terminals that it uses. IntelCrawler CEO, Andrew Komarov, said that other attacks against major US retailers may well come to light soon. Neiman Marcus, according to the New York Times, was hacked in July and did not discover the attacks until mid-December.

Furthermore, the company did not publicly disclose the attack until security specialist Brian Krebs discovered it and posted about it on his blog.

The successful attacks also call into question the value of PCI-DSS standards for protecting credit and debit card data online. This is widely considered to be best practice, despite the expensive of implementing and administering it - yet it did not stop Neiman Marcus from falling victim and not even noticing for almost six months that its systems were compromised.