BlackPOS malware confirmed in Home Depot US hack

Home Depot US store systems were hacked targeting customer’s credit card data with a variant of the BlackPOS malware that was responsible for the Target US data breach last December.

The incident was revealed by security journalist Brian Krebs who asserts the breach was aided in part by a new variant of BlackPOS known as KAPTOXA; a malware strain designed to siphon data from cards when they are swiped at infected point-of-sale systems running Microsoft Windows.  

Home Depot confirmed the breach and advised that customers using credit cards at its stores in the US and Canada may have been affected.

In a blog post, Trend Micro explained details of the new strain of the malware, highlighting new tricks, such as using a “custom search routines to check the RAM for track data.”

“Track data is where the information necessary to carry out card transactions is located; on the card this is stored either on the magnetic stripe or embedded chip,” the blog post said.

The malware was capable of logging card data more efficiently, by ignoring specific processes during its scan, the firm claimed. “It has an exclusion list that functions to ignore certain processes where track data is not found and this skipping of scanning specific processes is similar to VSkimmer."

Adam Kujawa, head of malware intelligence at Malwarebytes Labs, added that the “newer BlackPOS utilized an additional application that it drops in order to send the stolen data back to the command-and-control server, while the original BlackPOS did this simply by utilizing a line of code within the already running malware process.”

"At the end of the day, it's almost like you have an entirely new tool to use for your nefarious operations and also possibly have a new product to sell to your customers looking to do the same,” Kujawa said of attackers.

The home improvement retailer said it was still determining the "full scope, scale and impact" of the incident, but that there was no evidence that debit PIN numbers were compromised.

Home Depot reiterated its previously announced intentions to roll out chip-and-PIN technology to its stores by the end of the year, in advance of the October 2015 deadline established by the payments industry in the US.

Home Depot US is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store from April 2014 on.

Copyright © SC Magazine, Australia