A potent malware strain called BlackPOS, a supercharged variant of the suspect in Target’s colossal breach in December, is responsible for the mysterious Home Depot attack that has taken forensic investigators six days to determine what they were dealing with.
BlackPOS, known also as Kaptoxa, was designed to boost crucial data from credit cards when the are used at a point-of-sale (POS) terminal, or digital register, that has been infected with the virus. Machines running Microsoft Windows are the ones that have been compromised by BlackPOS.
The news was first reported by the widely regarded Krebs on Security newsletter.
A BlackPOS variant was the culprit responsible for the Target breach in which nearly 70 million customers had their credit data lifted for over $100 million in fraudulent charges. In the Target hit, forensic investigators discovered that a single store POS had been infected by the Trojan malware. The hack cost Target’s then CEO Gregg Steinhafel his gig.
The damage from the Home Depot strike is still being tallied. Incredibly, the company first learned of the hit by their banking partners, who noticed cards being dumped on shady cyber black markets like Rescator.cc and traced them back to Home Depot. That was back in April. Questions abound why the retail chain only began their investigation last week.
The grim news doesn’t end there. While Home Depot chief Frank Blake assured customers yesterday in a wanly worded press release that no customer PIN data had been compromised, Krebs on Security reported that company credit cards continue being dumped on the black market as of Tuesday, with banks taking big hits from the fraud.
Indeed, the hackers have been busy creating counterfeit cards based on the ones stolen from company customers and using them on buying sprees at big box chains around the country. By changing PIN numbers, the Home Depot boosters have also been withdrawing cash from ATM machines.
They are able to do so because of the information stored with individual cardholders accounts, like Social Security numbers, that are used by banks as prompts when clients change their pin numbers.
The news gets worse. According to Kreb’s blog post:
“Here’s the critical part: The card data stolen from Home Depot customers and now for sale on the crime shop Rescator[dot]cc includes both the information needed to fabricate counterfeit cards as well as the legitimate cardholder’s full name and the city, state, and ZIP of the Home Depot store from which the card was stolen (presumably by malware installed on some part of the retailer’s network, and probably on each point-of-sale device).”
Head of intelligence at Malwarebytes Adam Kujawa told VentureBeat late Monday that the new BlackPOS virus was enhanced and altered for more efficacy, as well as to throw investigators off the trail. The next strain, he said, will likely be even more potent than BlackPOS.
“Often times, when a certain type of malware becomes too well known by the security industry, the creators of the malware will modify the code and use new methods of obfuscation and encryption in order to thwart detection attempts. This could be what has occurred with BlackPOS,” Kujawa said.
While the FBI and Symantec continue to tally the toll at Home Depot, the malware creators, and those involved in the scheme, are likely off creating a new strain.
“The newer BlackPOS utilized an additional application that it drops in order to send the stolen data back to the command and control server, while the original BlackPOS did this simply by utilizing a line of code within the already running malware process,” Kujawa noted.
“At the end of the day, it’s almost like you have an entirely new tool to use for your nefarious operations and also possibly have a new product to sell to your customers looking to do the same,” he said.