Skip to main content

Target Malware Found on Home Depot Card Readers

Home Depot has yet to confirm the nature of the "unusual activity" it detected in its payment systems last week, but evidence of malware has been found on "at least some" registers in Home Depot retail stores, sources close to the investigation told independent security reporter Brian Krebs.

In a blog posting yesterday (Sept. 7), Krebs also said his sources told him the malware appears to be a variant of the BlackPOS/Kartosha (KAPTOXA in Cyrillic) Trojan that hit Target last year. If true, the discovery strengthens Krebs' hunch that the same group behind the Target data theft was responsible for the Home Depot breach.

MORE: How to Survive a Data Breach

BlackPOS infects point-of-sale (PoS) machines (credit card readers, registers, etc.) that run Windows. The malware is a "RAM scraper" that scoops up data from credit cards and debit cards as they're swiped and sends the data to a server under the criminals' control.

Late last month, Tokyo-based antivirus company Trend Micro found a new variant of BlackPOS it named TSPY_MEMLOG.A. The new variant could disguise itself as a specific antivirus program, decreasing the chances it would be detected by retail security teams. Trend Micro did not identify the brand of antivirus program being spoofed, but said the variant would uninstall the real program.

"The information on the malware adds another indicator that those responsible for the as-yet-unconfirmed breach at Home Depot also were involved in the December 2013 attack on Target," Krebs wrote.

Yet Krebs has presented only circumstantial evidence. The trove of stolen credit- and debit-card data linked to Home Depot is being sold in the online "carder" bazaar Rescator, the same marketplace in which much of the Target card "dump" was peddled. But it's possible a different group approached Rescator with the Home Depot dump.

As for the malware similarities, Trend Micro mentioned that the source code for BlackPOS had been revealed in 2012, making it available for any criminal group to freely use and modify. It's also possible that the traces of BlackPOS found on the Home Depot systems are merely coincidental and that the Rescator dump was stolen by other means.

What is clear is that Home Depot has a big problem on its hands. The carders selling the data from the purported Home Depot dump provided the ZIP codes of the location in which each card was stolen. Last week, Krebs compared the ZIP codes of a sample of cards with the ZIP codes of all 2,200 Home Depot retail locations in the United States. He found a 99.4 percent match.

The Home Depot card haul might even be larger than the Target one. Several banks told Krebs they had been tracking fraudulent activity related to Home Depot since April or May of this year.

In the worst-case scenario, all 2,200 US Home Depot retail locations may have been infected with payment-card-stealing malware for four months. By comparison, Target's breach affected approximately 1,800 locations over only three weeks, resulting in 40 million stolen credit and debit cards.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.