New reports suggest that the same malware that struck Target’s point-of-sale systems over the holidays was also used to target card data on Home Depot’s systems.
On Sunday, security journalist Brian Krebs revealed the information, saying that, in the Home Depot incident, a new variant of the malware in question, BlackPOS, was used. Krebs, who uncovered the Target breach last December as well as the breach at Home Depot earlier this month, has tracked both incidents closely.
Citing a source close to the Home Depot probe, Krebs said that the new strain of BlackPOS, also known as “KAPTOXA,” infected “at least some of Home Depot’s store registers.”
In addition to the anonymous source, Krebs found that stolen card information was for sale on Rescator.cc, an underground location where millions of cards linked to the Target breach were sold. He also noted that news of BlackPOS impacting Home Depot cropped up shortly after security firm Trend Micro detailed a new variant of the malware in late August.
In its blog post, Trend Micro explained that the RAM scrapping malware had picked up new tricks, such as using a “new custom search routine to check the RAM for track data.”
“Track data is where the information necessary to carry out card transactions is located; on the card this is stored either on the magnetic stripe or embedded chip,” the blog post said.
The malware was capable of logging card data more efficiently, by ignoring specific processes during its scan, the firm said.
“It has an exclusion list that functions to ignore certain processes where track data is not found,” the firm continued. “This skipping of scanning specific processes is similar to VSkimmer.”
In prepared emailed commentary to SCMagazine.com, Adam Kujawa, head of malware intelligence at Malwarebytes Labs, added on Monday that the “newer BlackPOS utilized an additional application that it drops in order to send the stolen data back to the command-and-control server, while the original BlackPOS did this simply by utilizing a line of code within the already running malware process.”
“At the end of the day, it’s almost like you have an entirely new tool to use for your nefarious operations and also possibly have a new product to sell to your customers looking to do the same,” Kujawa said of attackers.
On Monday, Home Depot officially confirmed that it was in fact breached, and that customers that used payment cards at its stores in U.S. and Canada may have been affected. The home improvement retailer added in its news release that it was still determining the “full scope, scale and impact” of the incident, but that there was no evidence that debit PIN numbers were compromised.
Upon initially revealing information about the Home Depot breach, Krebs determined that all of the company’s 2,200 stores could be impacted, and that the incident may have dated back to late April or early May. He also said that the breach could be “many times larger” than the one hitting Target in December, where approximately 40 million credit and debit cards were impacted.