September 10, 2014

The Home Depot POS Breach

Home Depot
Home Depot POS systems compromised by POS Malware

THE FACTS

Home Depot has confirmed, on September 08, 2014, that a data breach has taken place in the majority of its US and Canadian store location. There is an estimated 2400+ stores that may have been affected by the breach, starting back in April of last year.

Brian Krebs from KrebsOnSecurity said that sources close to the investigation have determined that the Malware used in this breach was aided by a possible new variant of the bug used to infect Target and other point-of-sale (POS) devices last year. This information was release early last week along with a statement from Home Depot. Other sources suggest that some of the stores were infected with a POS Malware called BlackPOS, which is designed to copy credit and debit card numbers as soon as they are swiped at the card reader terminals. The security company Trend Micro says that his new variant has a few new capabilities including the ability to disguise itself inside of the anti-virus software running on the compromised systems. Very sneaky. The malware also comes with an enhanced ability to pull date from the memory of vulnerable POS devices.

According to krebsonsecurity.com, the large batches of stolen credit cards began to show up on the underground cyber crime shop know as Rescator[dot]cc under the name "American Sanctions", which was given to the first two card batches. The store is also the location where cards, stolen from Target and other retail stores, have been sold. So, it is believed that the same hackers responsible for the earlier incidents are in fact the same individuals responsible for the HD attack.

Although Home Depot says that card PIN numbers were not compromised, the cards themselves can be used to create counterfeit copies and if the hackers can successfully change the PIN numbers associated with those cards, they can make ATM withdrawals. Many banks have reported seeing an increase in reported fraudulent ATM activities. Krebs states that the most important piece to this story is that the name, city, state and zip code of the legitimate card holders. This is important because most Home Depot shoppers live in close proximity to the stores, which makes guessing the most likely address pretty easy, which then, makes it much easier to for the frauders to locate the SSNs and birth dates of victims using other resources in the cyber crime underworld.

When it comes to ATM card vulnerabilities and knowledge-based auth systems, this quote says a lot:
"Banks are long overdue to move away from knowledge-based authentication. Forget about the fact that most major providers of these services have been shown to be compromised in the past year by the very crooks selling Social Security numbers and other data to identity thieves: The sad truth is that today’s cybercriminals are more likely to know the correct answers to these questions than you are."
WHAT HOME DEPOT PLANS TO DO

Home Depot has offered free credit card monitoring and repair services through AllClear ID for anyone involved in the POS data breach. However, even though this is good that they are doing this, the breach has most likely affected a majority of people in the US and Canada. HD also states that no one will be responsible for any of the fraudulent changes that may show up on statements. In response to the breach, Home Depot plans to implement EMV "Chip and PIN" (better than Chip and Signature) technologies in all of its US based stores by the end of the year, which, according to HD, is well ahead of the October 2015 deadline set by the payment card (PCI-DSS) industry.

If you would like to see the FAQ page that Home Depot has released in leu of the incident, follow the following link (no pun intended) HERE.

Update: September 12, 2014 - Some researchers have taken a closer look at the malware that was used to attach Home Depot and they think that it is not at all related to BlackPOS, which was used in the Target attack. Based on some of the differences that were found, it would appear that the new malware was written by a different person or group entirely.

Some of the differences include:
  • Both malware move the harvested data through network shares, but their techniques differ. BlackPOS uses direct system calls, while the new malware writes out to a batch script and executes with a call to a CreateProcessA() Windows API. 
  • The malware calls to different APIs for process enumeration vary. BlackPOS uses EnumProcess(), and the new malware uses CreateToolhelp32Snapshot.
  • Lastly, BlackPOS uses a more focused whitelist approach to finding processes to target, while the new malware uses a blacklist. 
Update: November 7, 2014 - Home Depot updated their breach notification page to tell everyone that a large number of email address, to the tune of 53 million, were stolen along with PII that had already been reported. HD did assure its customers that the file containing the addresses did not contain any payment card info or passwords. Another bit of news regarding the breach is that, like the Target Breach, a third party vender was compromised then used to attack Home Depot. The attackers used some stolen credentials from the third party to gain access to the edge network. Then, exploited a vulnerability in the Windows OS on the terminals.

SOURCE INFORMATION
  • http://krebsonsecurity.com/2014/09/in-wake-of-confirmed-breach-at-home-depot-banks-see-spike-in-pin-debit-card-fraud/ 
  • http://www.darkreading.com/home-depot-breach-may-not-be-related-to-blackpos-target/d/d-id/1315636