On Tuesday morning last week, a massive batch of stolen U.S. payment card data hit the underground cybercrime market.
Brian Krebs broke the news the same day. An investigation followed, in which “five states,” Reuters said, including California, Connecticut, Illinois, New York and Iowa, “launched a joint probe into the data breach on the payment-card processing systems of Home Depot Inc.”
Did we mention this breach is massive?
Security experts have linked the Home Depot data breach to the same malware used on Target a year ago. According to a tip, Krebs said, it’s a variant of BlackPOS, also known as Kaptoxa: “a malware strain designed to siphon data from cards when they are swiped at infected point-of-sale systems running Microsoft Windows.”
Trend Micro identified the new variant two weeks ago, on August 29, noting its “enhanced capability to capture card data from the physical memory of infected point-of-sale devices” while disguising itself “as a component of the antivirus product running on the system.”
In all likelihood, this is the work of the same Russian and Ukrainian hackers who perpetrated the recent attacks on Target, Sally Beauty and P.F. Chang.
How do we know? For one thing, the malware offers some clues: “The new BlackPOS variant includes several interesting text strings. Among those are five links to Web sites featuring content about America’s role in foreign conflicts, particularly in Libya and Ukraine.”
Clearly, the attack is politically-charged. Many of the stolen cards were labeled “American Sanctions” on Rescator. Compromised cards from European banks were labeled “European Sanctions.” Apparently these criminals are not happy about the U.S. and European sanctions against Russia for its dealings in Ukraine.
It’s painful, but true: the Home Depot breach may date all the way back to April. Which means it’s possible the criminals have had access to the stolen data for an excruciating five months. Indeed, the Home Depot data breach appears to be the biggest ever.
What are the implications? And why is this particular breach so enormous? That’s the subject of our next post: stay tuned.