In the recent Home Depot data breach disclosed just last week it was confirmed that the same malware that plagued Target retailers stealing millions of customers credit and debit card data was the same piece of malware that infected Home Depot stores worldwide.
Last Tuesday, Home Depot disclosed they were working with law enforcement to investigate “unusual activity” after multiple banks said they had traced a pattern of fraudulent activity back to cards that were used at Home Depot locations across the United States. The malware was believed to have been in place since May of this year.
Yesterday, KrebsonSecurity broke news that a source working closely on the Home Depot investigation revealed that some Home Depot store registers had been infected with a new variant of “BlackPOS”, a.k.a. “Kaptoxa”, malware designed to infect the Point-of-Sale (PoS) systems and siphon off card data when swiped on infected machines.
In the just confirmed Home Depot data breach, the research indicates that the cybercriminal gang behind the Target data breach, that reaped over 40 million customers credit and debit cards, may be the same cybergang behind the Home Depot hacking. Target was also found to be infected with BlackPOS on their point-of-sale systems after last years heist. Further, the same group found selling the Home Depot cards on the black market, Rescator[dot]cc, is the same cybergang that originally sold millions of stolen Target credit cards.
Information found inside the newer version of the BlackPOS malware suggests that the malware dates back several months. In addition, the underground black market pushed out nine more large batches of stolen credit cards on their cybercrime store dubbed, “American Sanctions”, as dated earlier. Similarly, dozens of large Target batches were sold in weekly increments.
Tips sourcing about Home Depot being breached by the BlackPOS malware comes from several security firms, KrebsonSecurity reported. August 29, Trend Micro published a blog post stating they had identified a new BlackPOS variant in the wild targeting retailers. Trend Micro stated the updated variant was first spotted August 22, sporting a number of new features. Trend Micro had also stated it has a feature that disguises the malware as a component of an antivirus that may be running on the system.
Trend Micro noted that the newest BlackPOS variant uses similar tactics to offload stolen card data, similar to that used in the Target data breach.
“In one the biggest data breach[es]we’ve seen in 2013, the cybercriminals behind it offloaded the gathered data to a compromised server first while a different malware running on the compromised server uploaded it to the FTP,” Trend Micro’s threat response engineer, Rhena Onocencio wrote. “We surmise that this new BlackPOS malware uses the same exfiltration tactic.”
As the Home Depot data breach has since been confirmed, the date range the breach may have lasted could lead to tens of millions of credit and debit card data being stolen.