Different hackers hit Home Depot and Target
Home Depot Inc. was hacked with a malicious software program that plunders store registers while disguising itself as antivirus software, according to two security researchers.
The credit card-stealing program used in the attack on the Atlanta-based retailer is being dubbed FrameworkPOS, and differs significantly from the software used last year to hack Target Corp., said Dan Guido, chief executive officer of Trail of Bits, an information security company.
Guido, who reviewed technical information about the Home Depot incident, said the differences in the malware are strong indicators that the hacks are probably the work of two different groups.
A second cyber security researcher familiar with the investigation confirmed that the malware used is a different family and said its name, FrameworkPOS, is derived from the McAfee antivirus agent it impersonates. He asked not to be identified because the investigation is still under way.
The malware’s disguise was meant to keep Home Depot’s security team from taking a deeper look
even if the retailer wasn’t deploying McAfee products on its registers or elsewhere in its network.
Paula Drake, a Home Depot spokeswoman, said the company is continuing to investigate.
“So at this point, we aren’t going to comment on any speculation,” she said in an e-mail. McAfee representatives did not respond immediately to requests for comment.
The malware code is sprinkled with anti-American references, including a link to a Wikipedia entry on wars involving the United States and a website promoting a book on American imperialism. The references have no relation to the way the software functions and appear to be meant as a message from the hackers, the second researcher said.
Home Depot confirmed a breach of credit card information at its stores on Monday, after the security blogger Brian Krebs reported signs of a hack on Sept. 2.
The retailer has not released details of how many cards may have been compromised. The hack follows a similar incident at Minneapolis-based Target last December, which exposed some 40 million cards.
POS stands for “point of sale” and in both cases, malware was designed to capture credit card numbers after customers swiped them at registers. Major differences between the two pieces of code from the Home Depot and Target cases include how and where the malware installs itself, how it interacts with the operating system, and how the software hides — or scrambles — credit card numbers as they sit on the company’s network before they’re exfiltrated, or sent outside the system.
Also, the memoryscraping malware used against Target didn’t mimic antivirus software.