Home Depot

Tuesday morning was marked by a rise in activity in the cybercrime underground, specifically in the stolen credit and debit card department.  Two huge batches of cards were unloaded Tuesday afternoon in an online card dump; one was labled “European Sanctions” and the other “American Sanctions 1 & 2.”

At the same time, multiple banks have reported that they are seeing evidence that this influx of stolen card information is coming from Home Depot stores across the United States.  Home Depot is currently working with banks and law enforcement agencies to investigate the rumors.

While it was originally unclear just how many stores were impacted, data taken from online card dumps are indicating that the breach spans across all 2,200 Home Depot locations in the United States.  The card dump that released the stolen data, rescator[dot]cc, is the same stolen card site that released the credit and debit card info from the Target, Sally Beauty, PF Chang’s and Harbor Freight breaches.

Rescator[dot]cc provides the zip codes that these stolen cards originate from in order to aid card thieves in their purchases.  A card from a zip code in California will be frozen if charges begin to roll in from another continent, sometimes even across the country.  Providing the original zip codes allows crooks to purchase batches of cards in their area in order to avoid triggering alerts from financial institutions.

rescator[dot]cc cards

Brian Krebs (Krebs on Security) ran the zip codes from the stolen card batch “American Sanctions 1 & 2” and found a startling 99.4% overlap with Home Depot locations across the US.  This provides virtually sound evidence that Home Depot has experienced a major data breach resulting in the theft of millions of customers’ payment information.  Home Depot has still not confirmed anything.

Preliminary information suggests that the breach may extend back to May or even April of 2014.  If this time period proves to be true and even if only a slight majority of Home Depot stores were compromised, this breach will be many times larger than Target.  In Target’s data breach, which occurred in December 2013, 40 million credit and debit cards were stolen over a three-week period.  If the numbers correspond remotely to this latest breach at Home Depot, the number of stolen credit and debit cards could be well into the hundreds-of-millions.

In an emailed statement, Paula Drake, a Home Depot spokeswoman, wrote she could only “confirm that we’re looking into some unusual activity and we are working with our banking partners and law enforcement to investigate.”

Home Depot is the latest in a slew of data thefts disclosed in the last few weeks alone.  Other retailers who have been in the same position in the last two months include Supervalu Inc., the UPS Store Inc., and Diary Queen.

The names of the two stolen card batches hint at the motive behind the data breach: retaliation and retribution against the US and European sanctions recently put on Russia. These sanctions were agreed on by NATO and the EU on account of Russia’s recent aggressive actions in Ukraine. Cybercrime is quickly becoming a way to economically injure rival countries in a time where outright war would end in mutual annihilation.

In several of these malware based attacks, the company’s outdated Point of Sale terminals have been to blame. Almost all of the POS systems used today operate off of Windows XP, which is now outdated and extremely vulnerable to outside attacks. This was the case in the Target card breach as well.

Unfortunately, completely redoing an entire Point of Sale system costs huge amounts of money for these organizations, along with the time required to re-train employees on new operating systems. It’s a ultimately a lose-lose situation. Companies are forced to upgrade now and spend time and money on new POS systems, or suffer a malware based data breach resulting in lost revenue and reputation (Home Depot Stocks Drop With Breach Notification). And then the company would have to replace their POS systems anyways!

EdgeWave specializes in enterprise security, providing email and web filtering for clients based on Real-World Cyber Defense Experience and Leading Edge Technology. EdgeWave’s iPrism Integrated Web Security Suite gives enterprises protection against zero-day vulnerabilities and military-grade defense against attacks from all types of adversaries. EdgeWave’s ePrism Email Security Suite’s combination of Leading Edge Technology and human analysts prevents spam and malware from making it into your inbox, thus neutralizing threats before they can do damage. Read EdgeWave’s data sheet or visit our website today.