Researcher disputes report BlackPOS used in Home Depot, Target attacks

A security researcher has found that the malware used in the Home Depot and Target breaches are unrelated and cannot be used as an indicator that the same group is behind the attacks.

An analysis of the malware code revealed no similarities in architecture or technique that would show the software is even from the same family, Josh Grunzweig, principal security consultant for enterprise search company Nuix, said Friday.

"With coding, there's a lot of different ways to essentially reach the same goal," Grunzweig said. "When you look at the two samples, pretty much every single decision was in the exact opposite when it came to approach."

Grunzweig's analysis contradicts a KrebsOnSecurity report this week that variants of the BlackPOS malware were used in both attacks. Brian Krebs, a former Washington Post reporter, writes the blog.

Late last month, security vendor Trend Micro reported that BlackPOS variants were being used to attack retailers, such as Target, but did not say the same malware was used against Home Depot.

BlackPOS was designed by a Russian teenager to steal credit- and debit-card data from retailers' electronic payment systems. The malware source code has been available since 2012.

Hackers typically stay within the same family of malware in launching attacks. However, it is also possible for the same group to use different malware.

Therefore, malware similarities, or dissimilarities, are not conclusive evidence that attackers are from the same group or multiple groups.

Krebs also reported that payment card data stolen from Home Depot was for sale on the same underground marketplace where Target data was sold.

Grunzweig's analysis focused only on the malware and did not draw any conclusions on whether the attackers behind the breaches were the same. But like other researchers, his instincts told him the attacks were somehow related.

"I think the groups probably are the same, but I'm just talking about the malware," he said. "I can only speculate on the groups behind them."

In breaking down the malware, Gunzweig drew the conclusion that "these were not coded by the same people."

While BlackPOS was used in the Target attack, the malware in the Home Depot breach contained different techniques for copying stolen data to another location on the victims' network before sending it to the hackers.

In addition, the malware used different techniques for identifying card data after payment cards were swiped. The executable used to run the malware was also different.

"Under the hood, everything was different," Grunzweig said. "These were not part of the same malware family."

The Target breach, which occurred during last year's holiday shopping season, exposed more than 40 million debit- and credit-card accounts. Home Depot reported this week that the attack on its payments systems affected all stores in the U.S. and Canada, which service millions of customers a year.

Home Depot did not say how many payment card accounts were affected.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationstrend microsecuritydata breachsoftwareHome Depotdata protectionmalwareTarget

More about Home DepotNuix

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place