Home Depot, Target: Same Breach Script?Similar Attack Methods Highlight Security Shortcomings
The revelation that Home Depot's breach resulted from the compromise of a third-party vendor is "eerily" similar to the circumstances of the Target data breach, security experts say. The two mega-breaches point to the need for retailers to more closely monitor the security measures of their vendors and ramp up breach detection efforts.
The Home Depot attack vectors are "similar to Target as well as the other major retailer breaches we have witnessed in the last 12 months," says JD Sherry, vice president of technology and solutions for Trend Micro. "This is fundamentally due to cybercriminals doing their homework on organizations and waging a fierce, persistent campaign to find any possible way to get a foothold in the organization."
Home Depot on Nov. 6 said that criminals used a third-party vendor's username and password to enter the perimeter of its network (see: Home Depot: 53 Million E-Mails Stolen). From there, hackers acquired "elevated rights" that allowed them to navigate portions of Home Depot's network and to deploy custom-built malware on the retailer's self-checkout systems in the U.S. and Canada, the company says.
The malware used in the attack has not been seen in any prior attacks and was designed to evade detection by anti-virus software, according to Home Depot.
The home improvement retailer did not reveal the nature of its third-party vendor whose credentials were used in the breach.
In the Target breach, in which 40 million payment cards and personal details on 70 million customers were compromised, the retailer acknowledged that the incident was the result of hackers stealing electronic credentials from one of its vendors (see: Target Vendor Acknowledges Breach). From there, attackers used "sophisticated malware" to evade detection and obtain the card details and other sensitive information.
Following a Script?
The similarities between the two mega-breaches demonstrate that hackers have a set script on how to hack a large retailer, contends fraud expert Avivah Litan, analyst at the consultancy Gartner. "The retail and payment industry have been too slow to act against this," she says. "It's too bad that the attacked organizations were not agile enough to build appropriate defenses in time."
The Home Depot and Target breaches demonstrate just how vulnerable retailers are to attacks waged by compromising the credentials of third parties, says Rebecca Herold, a partner at the consulting firm Compliance Helper.
One reason for that vulnerability, Herold says, is that so many retailers fail to conduct due diligence investigations of the security practices of their vendor partners, relying solely on security clauses in contracts.
The breached Home Depot vendor's apparent reliance on username and password for authentication was clearly inadequate, says Tsion Gonen, chief strategy officer at SafeNet, a data protection firm. "This massive breach reinforces why more companies need to implement multi-factor authentication, not only for their own employees, but for third parties that access their data systems," he says.
Organizations that outsource any type of information processing, access or storage must perform due diligence "to ensure the contracted entities to whom they are entrusting this access have appropriate safeguards in place," Herold says.
Time for Action
In light of the clear similarities in the Target and Home Depot breach methods, retailers must be on the lookout for similar attacks waged using third-party vendors' credentials that pave the way for malware installation, Litan says. "Retailers must be vigilantly looking out for these [vectors] and defending themselves," she says.
Sherry of Trend Micro says organizations should use breach detection systems that leverage custom sandboxing analysis to catch POS malware variants that can circumvent most anti-virus technologies and next-generation firewall perimeter defenses.
The surge in U.S. retailer breaches is unlikely to end any time soon, Litan says, because fraudsters are targeting American merchants while the nation's migration to more secure EMV chip card technology continues. "This is going to continue for some time - probably a couple more years," she predicts.
In announcing the apparent cause of its breach last week, Home Depot also revealed that some 53 million customer e-mail addresses were stolen in the attack, in addition to the compromise of 56 million payment cards.
"While consumer education has come a long way, there are still a small percentage of consumers who will fall prey to a phishing attack," she says. Even if only 5 percent of consumers respond to a fake e-mail, the results will be highly lucrative for the criminals, Inscoe says.
Another risk, says Herold, the consultant, is that e-mail addresses are often used as IDs on other sites. "The crooks will now be able to take those e-mail addresses and try them as IDs at a wide range of sites, including social media sites, to get access to even more data that they will find valuable," she says.