Mounting evidence points towards Home Depot breach

Still officially unconfirmed, a Home Depot hack looks increasingly likely to have happened.

As Nicole Perlroth noted, the source of stolen card information can be discovered in two ways:

• Law enforcement officials with the help of banks can look through affected users’ account transactions history for a common point of purchase. This is what some banks are currently doing after buying back card numbers from the crooks that sell them.
• Fraud investigators usually don’t have access to transaction data, but can use data provided by the crooks themselves (city, state and ZIP code of the store from which the card was stolen) to check whether the retailer suspected of having been breached has stores in the same ZIP code.

Carders usually provide that type of data – and request additional payment for it – because fraudsters who will use the counterfeited cards will want to make purchases in the same area so as not to set off banks’ fraud detection systems.

Armed with this information, Brian Krebs compiled a list of unique ZIP codes tied with the payment card data from the batches currently offered for sale on rescator(dot)com, and compared it with a list of unique Home Depot ZIP codes.

The result? A 99.4 percent overlap.

“Between those two lists of ZIP codes, there are 10 ZIP codes in Rescator’s card data that do not correspond to actual Home Depot stores,” he shared. But, he pointed out, the data currently for sale is likely just a “tiny fraction of the cards that his shop will put up for sale in the coming days and weeks,” meaning that the lists could ultimately have a 100 percent overlap.

If Home Depot was actually breached and the information from bank sources about the breach having started in April or early May is correct, he says that this breach could turn out to be much bigger that Target’s, which was discovered after three weeks and affected a smaller number of stores.

There is still no news about the matter from Home Depot, whose spokeswoman only confirmed that the company’s forensics and security teams are investigating the potential breach, and that they have brought in Symantec and FishNet Security experts to help with the investigation.

If Home Depot ultimately turns out to have been breached, it will be interesting to find out how the attackers managed to do it.

A recent interview with Chris Hadnagy, CEO of Social-Engineer, Inc., who runs the Social Engineering Capture the Flag (SECTF) at DEF CON, revealed that this year the team which was assigned the task of extracting potentially sensitive information from Home Depot employees was the most successful and ended up winning the contest.

“The theme of this year’s competition was retail, based on the Target breach revealed this year,” Hadnagy shared with Dark Reading. They wanted to see whether this breach urged retailers to be more careful and on high alert. “Unfortunately, there was not one company who did well. Not one, if they were my clients, would have gotten a passing grade.”

During this mock attack, a couple of Home Depot employees did question why the company’s “IT department” was not calling from a corporate number, but were ultimately mollified by the social engineers’ explanations and provided the requested information. Only one employee deemed the call suspicious and ended it without giving out any information.