Home Depot’s Malware Hints That Its Hackers Weren’t Target’s

Home Depot Inc. was hacked with a malicious software program that plunders store registers while disguising itself as antivirus software, according to two security researchers.

The credit card-stealing program used in the attack on the Atlanta-based retailer is being dubbed FrameworkPOS, and differs significantly from the software used last year to hack Target Corp., said Dan Guido, chief executive officer of Trail of Bits, an information security company. Guido, who reviewed technical information about the Home Depot incident, said the differences in the malware are strong indicators that the hacks are probably the work of two different groups.

A second cyber security researcher familiar with the investigation confirmed that the malware used is a different family and said its name, FrameworkPOS, is derived from the McAfee Inc. antivirus agent it impersonates. He asked not to be identified because the investigation is still under way. The malware’s disguise was meant to keep Home Depot’s security team from taking a deeper look even if the retailer wasn’t deploying McAfee products on its registers or elsewhere in its network.

Paula Drake, a Home Depot spokeswoman, said the company is continuing to investigate. “So at this point, we aren’t going to comment on any speculation,” she said in an e-mail.

McAfee spokesman Chris Palm said the company’s products are “able to detect and deflect this malware, so there is no risk to our companies.” The designers “simply named their malware to resemble a piece of McAfee software, hoping investigators would see it and simply move on,” a common tactic, he said.

Anti-American Messages

The malware code is sprinkled with anti-American references, including a link to a Wikipedia entry on wars involving the U.S. and a website promoting a book on American imperialism. The references have no relation to the way the software functions and appear to be meant as a message from the hackers, the second researcher said.

Home Depot confirmed a breach of credit card information at its stores on Sept. 8, after the security blogger Brian Krebs reported signs of a hack on Sept. 2. The retailer has not released details of how many cards may have been compromised. The hack follows a similar incident at Minneapolis-based Target last December, which exposed some 40 million cards.

Major Differences

POS stands for “point of sale” and in both cases, malware was designed to capture credit card numbers after customers swiped them at registers. Major differences between the two pieces of code from the Home Depot and Target cases include how and where the malware installs itself, how it interacts with the operating system, and how the software hides -- or scrambles -- credit card numbers as they sit on the company’s network before they’re exfiltrated, or sent outside the system. Also, the memory-scraping malware used against Target didn’t mimic antivirus software.

A screenshot of lines of code from the FrameworkPOS malware provided by the second security researcher shows some of the hidden messages, including a link to a blog post comparing U.S. military intervention in Libya with its support of the government in Ukraine against a rebellion in the Russian speaking east portion of the country.

Stolen Home Depot credit card numbers have turned up for sale on a major online emporium called Rescator.cc, which has been linked to a Ukrainian stolen credit-card dealer based in Odessa. Rescator also sold stolen cards from the Target hack, and some researchers have cited that as evidence that the two retailers were breached by the same group of hackers.

Senators Inquire

Guido said the differences in the malware are pronounced enough to undermine that theory.

“The development of a new piece of malware is not something you take lightly -- this required some engineering,” he said. “It’s probably not the same group as hit Target.”

Lawmakers have begun probing how Home Depot was breached. Senators Jay Rockefeller, a West Virginia Democrat and chairman of the Senate Commerce Committee, and Claire McCaskill, a Missouri Democrat, sent the company a letter today requesting a briefing.

“We ask that Home Depot’s information-security officials provide a briefing to committee staff regarding your company’s investigation and latest findings on the circumstances that may have permitted unauthorized access to sensitive customer information,” the senators wrote in the letter to Francis Blake, Home Depot chairman and chief executive officer.

The senators sent a similar letter to Apple Inc.’s Chief Executive Officer Tim Cook. Hackers stole photos of nude celebrities from Apple’s iCloud service, although the company said its security wasn’t breached.

Before it's here, it's on the Bloomberg Terminal.
LEARN MORE