Home Depot told its customers today to monitor their bank and credit card accounts for fraud as it continues to investigate the “unusual activity” on its networks that could turn out to be one of the biggest data breaches in U.S. history.
“We’re looking into some unusual activity that might indicate a possible payment data breach and we’re working with our banking partners and law enforcement to investigate. We know that this news may be concerning and we apologize for the worry this can create,” the company said in a statement posted to its website. “If we confirm a breach has occurred, we will make sure our customers are notified immediately.”
The company promises free credit monitoring and other fraud protection services should it confirm a breach; Home Depot said yesterday that it has brought in law enforcement and its banking partners to investigate.
Two batches of credit card numbers, reportedly stolen from Home Depot according to security website Krebs on Security, appeared on the same underground forum that sold payment card data stolen in the Target data breach during the last holiday shopping season. Dan Ingevaldson, CTO of Easy Solutions and a longtime researcher at Internet Security Systems (ISS) and cofounder of Endgame Solutions, said that the cards are selling for $50 to $100 each, a high price that’s likely not to last.
“We believe those prices are likely to come down faster than in the past, as the window of opportunity to profit from stolen cards has shrunk,” Ingevaldson said. “This has happened because financial institutions have become smarter about dealing with these attacks.”
Ingevaldson said banks have amped up fraud detection systems to look for test charges applied to stolen cards before they’re sold in order to prove the number is active and valid. Many underground card dealers, as a result, no longer offer this service, he said.
Large-scale retail data breaches, including the Target breach and recent intrusions at Albertson’s and SUPERVALU supermarkets, United Parcel Service and as many as 1,000 others according to the U.S. Secret Service, involve some manner of point-of-sale malware. Backoff is a PoS malware strain identified by the Secret Service as the culprit in most of the recent attacks. Point-of-sale malware is injected remotely onto a point-of-sale device once an attacker has a foothold on the network through some other weak spot. Once on a device, the malware steals credit card numbers from memory before they’re encrypted on the device and sent to a payment processor.
“There are a large number of these attackers who rely on automated point and click tools to find merchants using insecure remote access software exposed to the internet,” said Lucas Zaichowsky, enterprise defense architect at AccessData. “Once they’re in the POS system, they drop card data theft malware to steal credit card data as it passes through the system. The same tactics have been used for many years.”
Small retailers have been singled out as especially vulnerable because their payment systems are managed often by third parties that are not security specialists. Those consultants and vendors use remote management tools to access payment devices and systems, and often those remote systems are protected with a default or weak password that is easily exploitable. Once an attacker is in, they look like a legitimate, authenticated user.
“Their presence isn’t obvious since they’re accessing the environment just as the real administrator would. Once there, they’ll manually place newly created variants of specialize card data stealing malware, thereby evading anti-malware protection,” Zaichowsky said. “Next-generation malware detection appliances observing Internet traffic will be completely blind to this since it’s being delivered through encrypted command and control channels.”
Zaichowsky spoke at the recent Black Hat conference about the need for point-of-sale vendors to step up and recognize the security dilemma their customers are in.
“Any system or user that has access to the POS network is a likely target for exploitation and account hijacking,” he said. “Once inside the POS network, attackers have multiple choices for pilfering card data as it passes through, many of which involve no malware whatsoever.”