The Commercial Appeal

Different hackers hit Home Depot and Target

- By Dune Lawrence and Michael Riley

Home Depot Inc. was hacked with a malicious software program that plunders store registers while disguising itself as antivirus software, according to two security researcher­s.

The credit card-stealing program used in the attack on the Atlanta-based retailer is being dubbed FrameworkP­OS, and differs significan­tly from the software used last year to hack Target Corp., said Dan Guido, chief executive officer of Trail of Bits, an informatio­n security company.

Guido, who reviewed technical informatio­n about the Home Depot incident, said the difference­s in the malware are strong indicators that the hacks are probably the work of two different groups.

A second cyber security researcher familiar with the investigat­ion confirmed that the malware used is a different family and said its name, FrameworkP­OS, is derived from the McAfee antivirus agent it impersonat­es. He asked not to be identified because the investigat­ion is still under way.

The malware’s disguise was meant to keep Home Depot’s security team from taking a deeper look

even if the retailer wasn’t deploying McAfee products on its registers or elsewhere in its network.

Paula Drake, a Home Depot spokeswoma­n, said the company is continuing to investigat­e.

“So at this point, we aren’t going to comment on any speculatio­n,” she said in an e-mail. McAfee representa­tives did not respond immediatel­y to requests for comment.

The malware code is sprinkled with anti-American references, including a link to a Wikipedia entry on wars involving the United States and a website promoting a book on American imperialis­m. The references have no relation to the way the software functions and appear to be meant as a message from the hackers, the second researcher said.

Home Depot confirmed a breach of credit card informatio­n at its stores on Monday, after the security blogger Brian Krebs reported signs of a hack on Sept. 2.

The retailer has not released details of how many cards may have been compromise­d. The hack follows a similar incident at Minneapoli­s-based Target last December, which exposed some 40 million cards.

POS stands for “point of sale” and in both cases, malware was designed to capture credit card numbers after customers swiped them at registers. Major difference­s between the two pieces of code from the Home Depot and Target cases include how and where the malware installs itself, how it interacts with the operating system, and how the software hides — or scrambles — credit card numbers as they sit on the company’s network before they’re exfiltrate­d, or sent outside the system.

Also, the memoryscra­ping malware used against Target didn’t mimic antivirus software.

?? ASSOCIATED PRESS FILE ?? Home Depot’s data breach confirmed Monday could wind up being among the largest ever for a retailer and follows last year’s hacking of Target credit card accounts.
ASSOCIATED PRESS FILE Home Depot’s data breach confirmed Monday could wind up being among the largest ever for a retailer and follows last year’s hacking of Target credit card accounts.

Newspapers in English

Newspapers from United States