Home Depot may have experienced a massive security breach — possibly on a greater scale than last year’s Target breach, which affected an estimated 110 million people.
Home Depot on Wednesday said it was investigating the possibility, following security researcher Brian Krebs’ Tuesday alert.
Multiple banks earlier on Tuesday had seen indications that Home Depot was the source of a huge new batch of stolen credit and debit cards that had gone on sale in the cybercrime underground.
It appears that the perpetrators of the possible breach are the same Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others, Krebs said.
While Home Depot hasn’t confirmed that it has been hacked, it appears to be leaning heavily in that direction.
“We’re looking into some unusual activity that might indicate a possible payment data breach and we’re working with our banking partners and law enforcement to investigate,” the company said in a statement posted online.
The “unusual activity” referenced by Home Depot could be immense, as almost every location apparently was hit, according to updates from Krebs.
The breach probably began in late April or early May, he said. Given all that, “this breach could be much, much bigger than Target.”
An Industry Besmirched
If the Home Depot attack does indeed turn out to be worse than Target’s, the retail industry can expect to take a hit in consumer confidence.
“While Home Depot and other breached retailers continue to reassure consumers that they won’t suffer any actual monetary losses due to fraud, the inconvenience of these seemingly continuous breaches certainly has to weigh on the confidence in the security of retailers overall,” Mark Stanislav, security evangelist at Duo Security, told the E-Commerce Times.
“It’s interesting to consider that if you were to have asked Americans last year, ‘what do you trust more with your financial card — online or brick-and-mortar shopping?’ you’d likely have had people feel confident that shopping in a store was a much safer proposition,” he continued.
“These days, however, it’s feeling like shopping online may actually be a safer bet to your average consumer,” Stanislav said.
Get With the Program
It is easy to blame the retailers for these breaches, and to a certain extent such criticism is warranted.
Even with all the recent breach news, many retailers still don’t fully comprehend the scope or origin of the breaches, Ken Westin, security analyst for Tripwire, told the E-Commerce Times.
With breaches now an epidemic, retailers need to wake up and realize that they are up against sophisticated and tenacious criminals, he said.
The cybercriminals behind these attacks carefully adapt their methods to each business after doing a lot of research on their targets, Westin explained. “They spend time understanding the target network so they can take advantage of inherent weaknesses. Once they infiltrate the network, they deploy sophisticated malware targeting point-of-sale and payment systems that’s able to siphon off credit card data undetected.”
Retailers do take security very seriously, Westin said, but they must shift to a more modern threat-centric approach.
“As these cybercriminals continue to evolve and customize their attack strategies, organizations need adaptive tools that aren’t limited to signature detection,” he recommended.
Recreating the Crime
Retailers can expect further such attacks, because they are viewed as easy targets, Russ Spitler, VP of product management at AlienVault, told the E-Commerce Times.
Most of the major retail chains have not made the investments in cybersecurity that are necessary to stop, or at least slow down, this generation of cyberthieves.
The scale at which the likely Home Depot breach occurred suggests that the cybercriminals accessed the point-of-sale machines from within the corporate network.
“This has been confirmed in the public information available about the Target breach and will likely be seen as more information comes available about the Home Depot situation,” Spitler said.
Much more goes into an attack of this magnitude — a lesson that retailers must absorb, he cautioned. This is how Spitler imagines the crime:
- The cybercriminals launch a broad-based attack against a known vulnerability using a watering hole. Most likely this is done by a different group of hackers who specialize in compromising machines and distributing malware.
“The most common technique is to compromise popular websites and install what is called an ‘exploit kit,’ which targets known vulnerabilities in the browsers and systems of the users browsing to the compromised website,” Spitler said.
- The hackers do a first-level analysis of the systems that are compromised to see what has been brought in by the net of the broad-based attack.
- Once a target has been identified from the catch, the hackers start working toward their objective, which is the POS terminal.
- This is done by performing reconnaissance on the network and identifying the access the machine has and the systems it can access.
- The hackers systematically close in by identifying the ways to access the POS terminals.
“From that point, [they] target a known vulnerability in the system and install the memory-scraping malware that harvests the credit card information,” Spitler said.
- In the critical last step, the hackers move the harvested credit card information from the POS terminals to a location of their choosing.