14 DAY TRIAL // On Monday, Home Depot confirmed that their systems had been breached and that customer data from its stores in the United States and Canada had been impacted.
The company says that during the investigation it could not find evidence that the malware exfiltrating the information was present on its systems in locations in Mexico. Furthermore, it is possible that online shoppers are not affected by the incident.
Breach was announced by third parties
News about Home Depot being the target of a cyber-attack broke at the beginning of the month, after a large cache of credit and debit card data emerged on an underground forum and financial institutions checked it out to identify the origin.
Delving into the listings and extracting the ZIP codes from the card data, security blogger Brian Krebs found that more than 93% of the postal codes matched those for Home Depot stores in the US.
Financial institutions that made the connection between the stolen data on the underground forum and the retailer said that the breach was likely to have occurred in late April or late May.
Variant of BlackPoS, the malware used against Target retailer, suspected
In an official statement, Home Depot says that “any customer that has used their payment card at our U.S. and Canadian stores, from April forward” could be impacted.
Some security experts say that the threat used for this attack is very similar to BlackPoS, the same malware responsible for the breach of retailer Target late last year, which ended with card information of about 40 million customers being exposed.
Provided that this is true, the same cybercriminals may be behind both attacks. “Often times, when a certain type of malware becomes too well known by the security industry, the creators of the malware will modify the code and use new methods of obfuscation and encryption in order to thwart detection attempts,” says Adam Kujawa, head of malware intelligence at Malwarebytes.
The criminals could have modified the way the original BlackPoS operated in order to avoid different types of detection.
“The newer BlackPOS utilized an additional application that it drops in order to send the stolen data back to the command and control server, while the original BlackPOS did this simply by utilizing a line of code within the already running malware process. At the end of the day, it’s almost like you have an entirely new tool to use for your nefarious operations and also possibly have a new product to sell to your customers looking to do the same,” said Kujawa via email.