10 March 2014
Target Hacker Still Online
Daniel Brandt sends:
2014-00074 Target CC Hack Exploiters Still Online ( February 9, 2014 )
Some progress has been made since you posted the above. By complaining to
registries and registrars, 29 domains have been suspended. All are ostensibly
from "Rescator" and were hiding behind CloudFlare. When a registry or registrar
puts a domain on "hold," even CloudFlare cannot do anything. One can no longer
reach CloudFlare, or anything else, from that domain because the DNS is disabled,
and the domain does not resolve. I expect another five will be suspended
Unfortunately, these suspended domains are minor domains. Most are probably
"rippers" or decoys, and are not essential for the major perps behind the
marketing of stolen Target credit-card data.
Nevertheless, suspending them sends a message to criminals that it's not
worth using domains that are ICANN-affiliated. When the home page on such
domains shows activity that is indisputably illegal, abuse complaints to
ICANN-affiliated registries or registrars become possible. This includes
dot-com, dot-net, dot-org, dot-biz, and dot-info domains.
That leaves many dozens of country-coded domains for which complaints are
either impossible or useless. At the moment it looks like Rescator, who is
suspected of living near Odessa, Ukraine, is using servers based in Russia.
His latest moves suggest that he's beginning to use servers in Bulgaria,
and is not even using CloudFlare to hide them.
I doubt that Rescator is getting nervous; I think he knows what he is doing,
and has nothing to fear from authorities in the U.S.