Home Depot has confirmed via their corporate website that their payment systems were breached. This followed reports last week, which suggested that Russian and Ukrainian cybercriminals had successfully breached the Atlanta-based retailer’s PoS terminals.
The statement offered full details, but suggested the breach affected users who shopped at their US and Canadian branches from April onwards. Home Depot’s investigation began on September 2, which indicates a worse-case scenario of a breach of four to five months. It has been claimed that up the information of up to 60 million cards may have been stolen.
Speculation suggests that the Home Depot attack was carried out using BlackPOS malware; a BlackPOS variant discussed by Trend Micro researchers in late August may have been part of this attack, as the behavior we found with this variant and those ascribed to the Home Depot attack are very similar.
This particular BlackPOS variant is different in several ways from more common variants, suggesting that the code has been changed significantly since the source code for BlackPOS was leaked in 2012. A different API call is made to list processes which can be targeted for information theft; in addition custom search routines for credit card track information have been introduced as well. This particular variant is detected as TSPY_MEMLOG.A.
These increasingly sophisticated threats make it clear that PoS malware is becoming a bigger and bigger threat. Continued attacks against PoS systems will not only cause financial losses, but also reduce the confidence of consumers in existing commerce systems.
Migrating to more modern “chip-and-personal identification number (PIN)” cards and terminals may help reduce the risk down the road. Also, it is good for users to regularly check their bank statements for any anomalous transaction. Going over the recent transactions on a regular basis should allow users to spot and dispute fraudulent transactions made on their cards.
Later this week, we will publish a paper outlining existing threats to PoS systems. System administrators of organizations that are at potential risk can use the information in these papers to detect, mitigate, and address these attacks. Our earlier paper titled Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industries provided examples of potential PoS threats to retailers and companies in the hospitality sector.
For more information, you may check out Data Breaches page in Threat Encyclopedia.
Update as of 2:42 PM, September 11, 2014
Even though BlackPOS ver2 has an entirely different code compared to the BlackPOS which compromised Target, it duplicates the data exfiltration technique used by the Target BlackPOS. It is an improved clone of the original, which is why we decided to call this BlackPOS ver2.
It is also being reported in the press that some security vendors called this malware (TSPY_MEMLOG.A.) as “FrameworkPOS.” This is a play of the service name <AV_Company> Framework Management Instrumentation with which the malware installs itself.