Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:30 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly

UPDATE: Home Depot Confirms Breach; BlackPOS Implicated

Home Depot confirms there was indeed a breach. Presence of BlackPOS hints that the perpetrators could be the same ones who breached Target.

UPDATED 5:15 p.m. ET: Home Depot has confirmed that it did experience a data breach that affects customers who made credit card purchases at its stores in the United States and Canada; there is no evidence that customers who made purchases in Mexico or on HomeDepot.com were impacted.

The company says that there is no evidence that debit card PINs were compromised. No further details about the nature of the attack or the scope of the damage have been revealed. The investigation is ongoing, with a focus on suspicious activity beginning in April 2014.

Home Depot is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store in 2014, from April on.

"We apologize for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue," said Frank Blake, Home Depot chairman and CEO, in a statement. "We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred. It's important to emphasize that no customers will be responsible for fraudulent charges to their accounts."

Home Depot reiterated its previously announced intentions to roll out EMV Chip-and-PIN technology to its stores by the end of the year, "well in advance of the October 2015 deadline established by the payments industry."

Original Text:

A new variant of the BlackPOS card-slurping point-of-sale malware was used in the still-unconfirmed data breach at Home Depot, sources close to the investigation told Brian Krebs of KrebsOnSecurity.

The presence of BlackPOS is one indicator that the culprits behind the suspected Home Depot attack might be the same people who used BlackPOS to lift 40 million payment card accounts from Target in December. Another indicator, according to Krebs, is that "cards apparently stolen from Home Depot shoppers first turned up for sale on Rescator.cc, the same underground cybercrime shop that sold millions of cards stolen in the Target attack."

Trend Micro first spotted the new BlackPOS variant, TSPY_MEMLOG.A, in the wild on Aug. 22. According to Trend Micro, "What's interesting about TSPY_MEMLOG.A is it disguises itself as an installed service of known [anti-virus] vendor software to avoid being detected and consequently, deleted in the infected PoS systems."

The new variant also uses similar tactics to offload pilfered data. As Trend Micro reports, in the Target breach, the attackers "offloaded the gathered data to a compromised server first while a different malware running on the compromised server uploaded it to the FTP. We surmise that this new BlackPOS malware uses the same exfiltration tactic."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/9/2014 | 9:34:33 AM
Re: Was Home Depot PCI DSS Compliant?
Good questions.  I had very similar thoughts
User Rank: Ninja
9/8/2014 | 1:44:02 PM
Was Home Depot PCI DSS Compliant?
I am curious - was Home Depot certified for PCI DSS compliance, and if so, when? If they were indeed breached, how did the malware enter the environment, and eventually spread to the POS endpoints? PCI scoped machines are supposed to be isolated from the rest of the network using some sort of segmentation strategy. Particularly disturbing is the malware's method of evading detection. Did Home Depot have a centrally managed anti-malware application? If they did, then shouldn't it have either actively or passivly detected and informed the central management platform that something was amiss? Additionally, if this malware is a variant of the one that hit Target, then its basic behavior pattern should already be known to anti-malware applications and mitigation strategies, so how did the data exfiltration escape detection (assuming that they were, in fact, breached)? One would think that retailers in general would be more vigilant and already be on the lookout for this type of event, and have a strategy in place to comabt it. I also wonder how many big name retailers actually re-evaluated their security posture after the Target incident. Does anyone know of any surveys that asked companies if they did anything like that?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.