Different hackers, Home Depot says

WASHINGTON - Home Depot Inc. was hacked with a malicious software program that plunders store registers while disguising itself as anti-virus software, according to two security researchers.

The credit-card-stealing program used in the attack on the Atlanta-based retailer is being dubbed FrameworkPOS, and differs significantly from the software used last year to hack Target Corp., said Dan Guido, CEO of Trail of Bits, an information security company.

Guido, who reviewed technical information about the Home Depot incident, said the differences in the malware are strong indicators that the hacks are probably the work of two different groups.

A second cyber security researcher familiar with the investigation confirmed that the malware used is a different family and said its name, FrameworkPOS, is derived from the McAfee anti-virus agent it impersonates. He asked not to be identified because the investigation still is underway.

The malware's disguise was meant to keep Home Depot's security team from taking a deeper look even if the retailer wasn't deploying McAfee products on its registers or elsewhere in its network.

Paula Drake, a Home Depot spokeswoman, said the company is continuing to investigate.

'So at this point, we aren't going to comment on any speculation,” she said in an email.

McAfee representatives did not respond immediately to requests for comment.

The malware code is sprinkled with anti-American references, including a link to a Wikipedia entry on wars involving the United States and a website promoting a book on American imperialism.

The references have no relation to the way the software functions and appear to be meant as a message from the hackers, the second researcher said.

Numbers captured at register

Home Depot confirmed a breach of credit card information at its stores on Sept. 8, after the security blogger Brian Krebs reported signs of a hack on Sept. 2. The retailer has not released details of how many cards may have been compromised.

The hack follows a similar incident at Minneapolis-based Target last December, which exposed some 40 million cards.

POS stands for point of sale and in both cases, malware was designed to capture credit card numbers after customers swiped them at registers.

Major differences between the two pieces of code from the Home Depot and Target cases include how and where the malware installs itself, how it interacts with the operating system, and how the software hides - or scrambles - credit card numbers as they sit on the company's network before they're exfiltrated, or sent outside the system. Also, the memory-scraping malware used against Target didn't mimic anti-virus software.

A screenshot of lines of code from the FrameworkPOS malware provided by the second security researcher shows some of the hidden messages, including a link to a blog post comparing U.S. military intervention in Libya with its support of the government in Ukraine against a rebellion in the Russian speaking east portion of the country.

Stolen Home Depot credit card numbers have turned up for sale on a major online emporium called Rescator.cc, which has been linked to a Ukrainian stolen credit-card dealer based in Odessa. Rescator also sold stolen cards from the Target hack, and some researchers have cited that as evidence that the two retailers were breached by the same group of hackers.

Guido said the differences in the malware are pronounced enough to undermine that theory.

'The development of a new piece of malware is not something you take lightly - this required some engineering,” he said. 'It's probably not the same group as hit Target.”

Lawmakers have begun probing how Home Depot was breached. Sens. Jay Rockefeller, a West Virginia Democrat and chairman of the Senate Commerce Committee, and Claire McCaskill, a Missouri Democrat, sent the company a letter Wednesday requesting a briefing.

'We ask that Home Depot's information-security officials provide a briefing to committee staff regarding your company's investigation and latest findings on the circumstances that may have permitted unauthorized access to sensitive customer information,” the senators wrote in the letter to Francis Blake, Home Depot chairman and chief executive officer.

The senators sent a similar letter to Apple's Chief Executive Officer Tim Cook. Hackers stole photos of nude celebrities from Apple's iCloud service, although the company said its security wasn't breached.