Home Depot breach a near certainty, yet Backoff remains a question
Home Depot has not yet confirmed that a slew of fraudulent transactions came from a breach of its systems, yet an increasing body of evidence is mounting that points to a massive compromise linked to the home-supply retail chain.
Financial institutions first detected the suspected breach when a wave of fraudulent transactions on cards had been used at Home Depot. On Wednesday, journalist and blogger Brian Krebs, who originally broke the story, analyzed the zip codes of a recent batch of stolen cards offered for sale on the underground and found a 99 percent match with the locations of Home Depot’s stores.
Such a correlation is a “smoking gun,” Lucas Zaichkowsky, enterprise defense architect at AccessData, a digital forensics and security services firm, said in an e-mail interview. Whether Home Depot has been breached is no longer a question, he said.
“The bigger question is why Home Depot didn’t detect the attackers as they maneuvered from their initial entry point past multiple layers of defense, performing internal reconnaissance and escalating privileges in the process,” Zaichkowsky said.
On Tuesday, Home Depot acknowledged that it was working with financial institutions and security firms to investigate the fraudulent transactions and the potential breach. If confirmed, the breach may be the largest theft of credit- and debit-card information to become public this year. With Krebs’ analysis suggesting that transactions from more than 1,700 stores had been compromised for many months, the breach could surpass the 40 million accounts stolen from retail giant Target.
While details of the breach are not known, some security experts have already spotlighted the Backoff point-of-sale (POS) malware as a likely tool used in the attack. Zaichkowsky pointed to Backoff, or a similar memory-scraping point-of-sale infector, as a likely culprit as well.
Malware targeting point-of-sale systems has become a common tool among cybercriminals. The group behind Backoff, for example, seeks out remote desktop management systems with weak passwords, a common problem for retailers. Once the group has access to the vulnerable systems, they install Backoff, which disguises itself as a Java component on the system and listens for credit-card transactions, storing them for later transmission to a command-and-control server. The technique has compromised an estimated 1,000 retailers, according to the US Secret Service.
Backoff is not the only tool used to attack point-of-sale systems, Zaichkowsky said.
“Any system or user that has access to the POS network is a likely target for exploitation and account hijacking,” he said. “Once inside the POS network, attackers have multiple choices for pilfering card data as it passes through, many of which involve no malware whatsoever.”