A California cybersecurity firm's assertion that a Russian teenager authored the malware behind the massive Target data breach during the holidays was disputed Sunday by the Internet security blogger who broke the Target story.
IntelCrawler, based in Los Angeles, said late Friday that a teenager "close" to 17 years old authored the malicious software and reportedly sold it for about $2,000 to dozens of cybercriminals in Eastern Europe and other countries.
Brian Krebs, a widely followed Internet security blogger and former Washington Post reporter, disputed that information in an interview and on Twitter.
"We don't think we are wrong," IntelCrawler president Dan Clements responded Sunday.
While IntelCrawler says the teen allegedly authored the malware, it doesn't allege that he perpetrated the breach.
Clements says IntelCrawler's CEO did a report on the malware, known as BlackPOS, earlier last year and the teen was identified then as the author and allegedly is a well-known programmer of malicious code in the underground world.
Target, the nation's second-largest retailer, has apologized for the security breach, which it said affected up to 110 million shoppers.
The same malware may have been involved in a similar but far smaller attack on luxury retailer Neiman Marcus around the time, IntelCrawler says. The retailer has not said how many customers were affected by its breach.
The retailers had no further comment on the incidents Sunday. The Department of Homeland Security did not respond to inquiries.
The software reportedly enabled the thieves to remotely hack into Target's computer systems and obtain customer credit card numbers and other information, which was then sent back to a computer controlled by cyber thieves.
State and federal officials, including the Secret Service, have launched an extensive investigation into the breaches.