Malware: Examining the Home Depot BreachExperts Analyze Malware Details, Attack Vector
Security experts are analyzing the latest details that big-box retailer Home Depot provided about the data breach that exposed 56 million payment cards, including the nature of the malware used in the attack.
Home Depot offered an update on its breach investigation Sept. 18, saying that criminals involved in the cyber-attack used "custom-built" malware, which had not been used in other attacks. The malware, present on Home Depot's payment systems between April and September, has since been eliminated from its U.S. and Canadian networks, the retailer says.
Several security experts, however, suggest that the malware used in the breach likely was a variant of malware used in other attacks.
"Hackers borrow and steal code from each other and build on previous versions," says Avivah Litan, an analyst at the consultancy Gartner. "They rarely start from scratch unless, perhaps, in the case of state-sponsored specialized targeted attacks."
Similarly, Ed Ferrara, a fraud analyst at Forrester Research, says the malware is likely "custom" in the sense that it is a new variant of an existing package. "Hackers are lazy," he says. "Why create something brand new when variation of an existing tool or technique will work?"
So how did the cyber-attackers deploy the malware to gain access to the card data? "They probably used attack vectors similar to what we saw used at Target," Litan says (see: Target Vendor Acknowledges Breach). The hackers likely completed "an initial breach through a third-party supplier workstation, followed by a couple of months of surveillance of the cardholder data environment, followed by testing the attack, followed by the data capture and exfiltration," she says.
Tyler Shields, a senior analyst at Forrester, says the malware most likely was installed on the point-of-sale systems, automating the collection of credit card entry data, sending it to an offsite collection system.
"It could also have sat on a central server or system somewhere further back in the payment system that saw every transaction going through the system," he says. "We don't have enough public data to know for sure, but the indicators I've heard so far are pointing at POS-specific malware."
A report from security blogger Brian Krebs that the investigation was focusing on self-checkout lanes poses some interesting possibilities, because those systems are likely different than other systems in the check-out lanes of the stores, Shields says. "It may have been the lowest-hanging fruit for the attacker to pluck."
The underlying network at self-checkout lanes is likely to be the same as that for full-service lanes, but the specific POS terminal types may be different, says Tom Wills, a payment fraud expert at consultancy Secure Strategies. "It's possible a vulnerability was found on the check-out lane devices ... and the attackers were just following the path of least resistance."
Enhanced Payment Security
Home Depot says it completed a major payment security project that provides enhanced encryption of payment data at the point of sale in the company's 1,977 U.S. stores. The retailer says it used technology from Voltage Security.
Rollout of enhanced encryption to 180 Canadian stores will be completed by early 2015, the company says. All Canadian stores are already equipped with EMV technology; U.S. stores will have EMV in place by the end of this year.
Gartner's Litan says the Home Depot enhancements are point-to-point encryption, which means card data is encrypted as soon as it is read and not decrypted until it gets to a processor. "This definitely protects the data from being hacked," she says.
The security improvements show that Home Depot is taking the right steps, says Al Pascual, director of fraud and security at Javelin Strategy & Research. "But I think the most important lesson in all of this is that most retailers don't generally have the acumen, budgets or wherewithal to secure every part of their network from intrusions," he says.
"If some of their budgets were adjusted to make room for encryption or tokenization right now, then everyone would be better off," Pascual says. "But this is unlikely because you would be asking them to abandon some investments made based on years of security recommendations."
Home Depot did not respond to a request for comment regarding the new payment security features or the nature of the malware used in the attack.
Avoid Taking Shortcuts
A key takeaway from the Home Depot incident and other recent retailer breaches is that merchants seem to be taking shortcuts when it comes to security, says Adam Kujawa, a malware intelligence analyst at Malwarebytes. "I imagine they never considered the possibility of these attacks actually happening on a large scale," he says.
"Attackers are getting more targeted and more creative in their approaches," he says. "In many cases, technical information about the systems being used for POS services can be obtained online. Using this information, an attacker can determine the best way to infiltrate the systems and modify their attack plan based on trial and error."
Home Depot apparently missed an opportunity to learn from the Target breach, Wills says. "Retailers, and especially those the size of Home Depot, need to assume that they'll be targeted by card data thieves, and protect their systems accordingly."