A Russian teenager has been identified as the author of the code that allowed hackers to launch cyberattacks against Target and Neiman Marcus, according to security firm IntelCrawler.
The California-based company, posted a report online that said the author of the malware used in the attacks had sold over 60 versions of the software to cybercriminals in Eastern Europe and other countries.
According to the The Washington Post, IntelCrawler said the 17-year-old was a 'very well known' programmer in underground marketplaces for malicious code.
The newspaper said, the teenager was not responsible for the attacks, but he wrote the malicious programmes - software known as BlackPOS –that infected the sales systems at Target and Neiman Marcus, the report added.
The company also claims to have uncovered at least six ongoing attacks at US merchants whose systems were similarly affected to allow used to steal data from Target Corp, Reuters said in an exclusive report.
The report quoted Andrew Komarov, chief executive of cybersecurity at the firm that his company had alerted law enforcement, Visa Inc and intelligence teams at several large banks. He added that payment card data was stolen in the attacks, though he did not have an idea of the scale of the heist.
The findings point to the cyberattacks disclosed by Target Inc and upscale department store Neiman Marcus forming a part of a wider assault on US retailer customer data security.
Meanwhile, the US government and private security intelligence firm iSight Partners on Thursday warned merchants and financial services firms that the BlackPOS software used against No 3 US retailer Target had been used in a string of other breaches at retailers but stopped short of identifying the victims.
According to banks and retailers, the victims of any fraud resulting from the theft of their payment card data bore "zero liability" and would be credited for fraudulent purchases made on their accounts.
According to Visa spokeswoman Rosetta Jones, the company rules said five days but most consumers got (their money) back within 24 hours.
However, consumer advocates said that any debit card fraud could result in money being drained from a bank, mutual fund or other cash account at a time when those funds were really needed.