Naturally, early speculation on the malware culprit behind the possible Home Depot data breach has leaned toward Backoff.
The point-of-sale malware, one of many used against payment terminals, has recently been blamed for more than 1,000 attacks on businesses, prompting the U.S. Secret Service to issue an advisory warning businesses of the threat.
And while Home Depot has yet to even confirm there has been a breach much less that Backoff is to blame, experts are taking a renewed interest in this particular malware genre. Invincea, for one, posted a report yesterday analyzing the code and concluding that not only are retailers falling down in the upkeep of their security gear, but detection technology isn’t keeping up with point-of-sale malware variants.
“BackOff is not a particularly sophisticated Windows Trojan. It was simply re-purposed to run on Windows-based POS systems and capture credit card data from memory,” wrote Pat Belcher of Invincea. “In other words, BackOff should have been detected by standard Windows antivirus software. In fact, most large antivirus vendors had detection signatures in place for most variants within days of initial discovery in the wild.”
Merchants, he said, are either not running antivirus on the servers managing point-of-sale devices or they’re not being updated regularly. The end result in Home Depot’s case, could be the largest retail data breach in U.S. history, dwarfing even Target. The Target breach happened during the course of a three-week period during the 2013 holiday shopping season and affected 1,800 Target locations. Experts believe the Home Depot breach could date back to April and affect 2,200 retail locations in the U.S. and others abroad.
Invincea’s Belcher says Backoff doesn’t behave much differently than other point-of-sale malware in that it scrapes payment card data from memory before it’s encrypted on the device. He said Backoff installs itself as a running service that runs at startup, meaning it will survive a memory-refreshing reboot.
“It’s a very small, simple, backdoor Trojan that is memory-resident, and listens on port 80 for command and control,” Belcher wrote. “It also hides information about itself by posing as an Adobe Flash Player update in the system registry. For once, malware doesn’t take advantage of a Flash vulnerability, but it tries to pin the blame on it anyways.”
Home Depot as of this morning has yet to confirm a breach, only adding that it has hired FishNet Security to help with the investigation.
“There is no higher priority for us at this time than to rapidly gather the facts so that we can provide answers to our customers. We know these types of incidents can cause frustration and concern and we apologize for that,” said spokesperson Paula Drake in an email to Threatpost. “It’s important to note that in the event we determine there has been a data breach, our customers will not be responsible for any possible fraudulent charges. The financial institution that issued the card or Home Depot are responsible for those charges.”
Home Depot has repeatedly urged customers to be vigilant about monitoring credit card statements and bank account activity, and that it will offer free identity protection services, including credit monitoring, to impacted customers.
In the meantime, security website Krebs on Security, which broke the story earlier this week, published additional research culled from the underground forum hosting the reportedly stolen credit cards taken from Home Depot. Krebs said the rescator[.]cc site, the same forum that sold cards stolen from Target, indexed the purported Home Depot numbers by city, state, and ZIP code and a comparison of those ZIP codes against a commercial marketing list showing locations and ZIP codes of Home Depot retail locations in the U.S. overlaps almost 100 percent.
Drake said Home Depot had no comment on Krebs’ latest finding.