Home Depot Breach Linked to Target's?Experts Say BlackPOS Malware Is Likely Common Thread
Now that Home Depot has confirmed its payment data systems were breached, industry experts weigh the possibility that the same point-of-sale malware may have hit the home-improvement giant as well as Target Corp., Sally Beauty, P.F. Chang's and other recently breached retailers.
See Also: Rethinking Endpoint Security
On Sept. 8, Home Depot acknowledged that its payments data system had been attacked by malware that may have compromised debit and credit data used for purchases made at stores in the U.S. and Canada. PINs associated with debit transactions, the retailer says, were not exposed.
This week, security blogger Brian Krebs, who broke news of the alleged Home Depot breach on Sept. 2, reported that investigators determined that a portion of Home Depot's terminals had been infected by a newly discovered variant of BlackPOS, the same malware thought to have compromised Target.
Although they stop short of confirming that the Home Depot, Target and other breaches are definitively tied to BlackPOS, other industry sources acknowledge that the malware continues to evolve. And they say BlackPOS has likely compromised numerous U.S. retailers, many of which have not yet confirmed or even discovered a card data compromise.
On Aug. 29, security firm Trend Micro blogged about a new BlackPOS variant it had uncovered in the wild, labeling it TSPY_MEMLOG.A. "Based on our analysis, this POS malware uses a new custom search routine to check the RAM [random-access memory] for [card] track data," writes Trend Micro researcher Rhena Inocencio. "These custom search routines have replaced the regex search in newer PoS malware."
Trend Micro executives declined to speculate about whether this new variant or some other variant of BlackPOS is the one that targeted Home Depot.
But Avivah Litan, a financial fraud expert who's an analyst at the consultancy Gartner, says that most retail malware attacks, including those involving BlackPOS as well as the Backoff malware that targets remote-access software, are connected in some way.
"All the retail breaches using a variant of the BlackPOS malware are linked technically," Litan explains. "It's not clear how many gangs are behind these multiple attacks, but the fraudsters are definitely sharing technical tools and software code - either directly or indirectly."
Litan also says she believes Backoff, which the Department of Homeland Security on Aug. 22 estimated had compromised more than 1,000 U.S. businesses, also is a variant of BlackPOS.
She contends that it's safe to assume that most leading U.S. retailers have been or will be targeted by some variant of this evolving malware strain.
"This is obviously an epidemic, and the only victim companies being reported in the press are the ones that are disclosed by various researchers and reporters," Litan adds. "At this point, I think it's safe to assume almost every top retailer has either been attacked or is on a list to be attacked. The only ones surviving and fending the attacks off are the ones that have implemented point-to-point encryption and tokenization - the malware doesn't work in those environments."
Ironically, Target's new CIO, Bob DeRodes, formerly worked in a senior technology position at Home Depot.
Now the job for card issuers is to ensure that they are continually reviewing transactional histories and being mindful of any anomalous activity that could indicate a possible card compromise, says John Buzzard, who heads up FICO's Card Alert Service.
"I think most people are probably aware that the cards that are being dumped [in underground forums] are being sold with city, state and ZIP code," Buzzard says. "Having this information allows the fraudsters who buy the cards to do a lot of localized fraud - fraud that is within the footprint of the cardholder."
Card data compromised in the Sally Beauty and Target attacks, for instance, when sold in underground forums, also included the ZIP codes of the cardholders, Buzzard points out. He also says none of these attacks has resulted in the compromise of PIN data, which limits the fraud to retail purchases rather than fraudulent ATM or POS-debit cash withdrawals.
Krebs has noted that he accompaniment of ZIP codes with compromised cards linked to Sally Beauty, Target and the now-confirmed Home Depot hack suggest a malware connection.
Buzzard won't comment about Krebs' conclusions regarding those attacks; but he does say issuers can use ZIP code information to detect fraudulent transactional patterns.
"The criminals are using cardholder data that looks legitimate because they are shopping with those cards close to where the customer lives," Buzzard says. "So issuers may see multiple purchases from the same retailer, and that could be common. But if they see multiple transactions at the same location during the same day, they ask themselves how often would that cardholder go to the same exact store and make a purchase in the same day."
Buzzard suspects that fraudsters may be using stolen card data in just this way, by making multiple small purchases in a single day at the same retail location within the cardholder's ZIP code to avoid detection.
"As a fraudster, you might not want to arouse suspicion with one big purchase," he says. "But if you create four or five fake cards that have the same number and name, and you create multiple fake IDs, you could have people out there using the same card number for multiple, relatively low-dollar purchases in a single day and it won't raise a flag."
If issuers note this type of behavior, it could signal a compromise, Buzzard says.
Home Depot Among Big Box Targets?
Since Target's breach announcement in late 2013, numerous retailers have confirmed similar POS compromises. Soon after news of the Target compromise, security experts suggested that perhaps six other big-box retailers would be next (see Securing Networks to Fight Malware).
Whether Home Depot is one of those six targets is not something experts want to speculate about. But Adam Kujawa, head of malware intelligence at Malwarebytes Labs, says a connection to at least Target is likely.
"It is possible that both attacks were caused by the same people," he says. When a certain type of malware becomes too well known by the security industry, the creators of the malware often will modify the code and use new methods of obfuscation and encryption in order to thwart detection attempts, he notes.
"This could be what has occurred with BlackPOS. having been discovered and subsequently detected on a large scale, it was time to modify not only the way the malware looked (to avoid certain types of detection), but also modified the way it operated (for heuristic detections)."
The newer BlackPOS utilized an additional application that it drops in order to send the stolen data back to the command and control server, while the original BlackPOS did this simply by utilizing a line of code within the already running malware process, Kujawa explains. "It's almost like you have an entirely new tool to use for your nefarious operations and also possibly have a new product to sell to your customers looking to do the same."