New Information Suggests Home Depot Malware, Hackers May Not Be Same as Target's
By Christine Kern, contributing writer
Anti-American Messages, References to Imperialism Found in Home Depot Malware
New information suggests that the program used to steal credit card data in the recent cyber-attack on The Home Depot Inc. is not the same program used in the 2013 cyber-attack on Target.
The credit card-stealing program used in the attack on the Atlanta-based retailer is being dubbed FrameworkPOS, and differs significantly from the software used last year to hack Target Corp., said Dan Guido, chief executive officer of Trail of Bits, an information security company. Guido reviewed technical information about the Home Depot incident and concluded that the differences in the malware are strong indicators that the hacks are probably the work of two different groups.
The malware’s name, FrameworkPOS, is derived from the McAfee Inc. antivirus agent it impersonates. The malware’s disguise was meant to keep Home Depot’s security team from taking a deeper look even if the retailer wasn’t deploying McAfee products on its registers or elsewhere in its network.
In addition, in an apparent message from hackers, the code in the malware used against Home Depot includes references to American imperialism and involvement in Middle Eastern conflicts, as well as links to anti-American blog postings and Wikipedia entries. These references do not serve any purpose in helping the malware obtain .
Some experts had previously suggested the same hackers stole data from both Home Depot and Target, as credit card numbers from customers of both retailers turned up on the same major global stolen credit card site, but the new information indicates this is not the case.
Paula Drake, a Home Depot spokeswoman, said the company is continuing to investigate. “So at this point, we aren’t going to comment on any speculation,” she said in an e-mail.
McAfee spokesman Chris Palm said the company’s products are “able to detect and deflect this malware, so there is no risk to our companies.” The designers “simply named their malware to resemble a piece of McAfee software, hoping investigators would see it and simply move on,” a common tactic, he said.
Senators Jay Rockefeller (D-W.V.), chairman of the Senate Commerce Committee, and Claire McCaskill (D-MO), sent Home Depot a letter requesting a briefing on Sept. 11.
“We ask that Home Depot’s information-security officials provide a briefing to committee staff regarding your company’s investigation and latest findings on the circumstances that may have permitted unauthorized access to sensitive customer information,” the senators wrote in the letter to Francis Blake, Home Depot chairman and chief executive officer.