After Home Depot breach, rogue website hawking Minnesota-linked payment card data

At least 12,000 credit and debit cards believed stolen from Home Depot and linked to Minnesota ZIP codes are for sale at the underground crime shop Rescator, a local cybercrime professional says.

The stolen cards sell for around $9 to $52 each.

The number of Minnesota cards will likely increase, since huge batches of cards linked to the recent Home Depot breach are showing up on Rescator almost daily, said Mark Lanterman, chief technology officer at Computer Forensic Services in Minnetonka. The 13th giant batch of cards was recently posted. The Atlanta-based retailer confirmed the breach Sept. 8, but said it's still trying to determine the full scope.

"The numbers so far indicate to me that this breach may have resulted in the theft of more credit numbers than the Target breach, which kind of surprises me," said Lanterman.

Lanterman, a former member of the Secret Service Electronic Crimes Task Force, said he's had access to the Rescator marketplace for some time. It is allegedly run by the same man, nicknamed Rescator, believed to be central to the unresolved attack on Minneapolis-based Target Corp. last year.

Cards stolen from Target customers are still being hawked at Rescator, as are cards from Sally Beauty and P.F. Chang's.

A variant of the BlackPOS software employed to siphon payment card information from Target's cash registers was used in a similar fashion at Home Depot, according to Lanterman and Brian Krebs, the journalist-turned-cyber sleuth who broke the news of both attacks at KrebsonSecurity.com. In an interview Thursday, Krebs said the Home Depot breach started around April 11 and continued until Sept. 7.

U.S. Secret Service spokesman Brian Leary on Thursday confirmed the agency is investigating both breaches.

The identity of Rescator remains a mystery.

Krebs has consistently said Rescator is a leading member of a criminal forum called Lampeduza, and that he suspects he is from Illichivisk, a city in the Odessa province of Ukraine. Rescator is not just hawking the stolen cards, Krebs has said, but is playing a central role in the thefts themselves.

Whoever he is, he is not trying to hide, said Lanterman.

"This is Amazon.com for credit card thieves," he said.

Lanterman said that while the website appears plain, it's much more comprehensive than other "carding" shops. Various filters and drop-down menus allow criminals to shop for cards online as though they were shoes. Shoppers can sort the goods by bank, brand, city and state, model such as platinum or classic, or which breach the cards came from.

It also displays ZIP codes, which Krebs said belong to the Home Depot store from which the cards were stolen. That's valuable information for thieves trying to figure out where card holders live so they can conduct transactions that don't trigger fraud alerts to financial institutions.

Lanterman noted that Rescator even has a return policy. If you alert the site within three hours that the card doesn't work, Rescator will give you a different card for free, he said.

"The hackers think of this guy as a rock star," Lanterman said. "He's up on an altar somewhere."

Catching the cyberthieves will be extremely difficult. The United States does not have an extradition treaty with Ukraine or Russia, for instance, and given the turmoil in the region, catching a hacker is likely a low priority. Traditionally law enforcement has nabbed the crooks when they travel abroad, Krebs said, and that could eventually create an opportunity.

"None of them want to be stuck in Ukraine or Russia," Krebs said. "They have lots of money to spend."

Jennifer Bjorhus • 612-673-4683