New information released this weekend about the Home Depot database hacking confirms what was only suspected before: the malware used to steal customer information from the Home Depot database was the same as the malware from last year's similar breach at Target.
However, it appears that, in terms of the number of customers made vulnerable, and length of time for which they were, the Home Depot breach is far worse than Target's.
Security expert Brian Krebs, who first broke word of the Target and Home Depot breaches even before the companies themselves publicly admitted to them, reported on Sept. 7 that “at least some of Home Depot’s store registers had been infected with a new variant of “BlackPOS” (a.k.a. “Kaptoxa”), a malware strain designed to siphon data from cards when they are swiped at infected point-of-sale systems running Microsoft Windows.”
Information discovered within that malware showed the similarities with the earlier Target malware. In both cases, the stolen data was sold in an “underground crime store” called Rescator.
Russians or Ukrainians
It definitely appears that the malware writers are either Russians, or Ukrainians with pro-Russian sympathies (particularly in regard to Russia's current war with Ukraine), and are specifically targeting American companies and consumers, supposedly in retaliation for American foreign policy:
The new BlackPOS variant includes several interesting text strings. Among those are five links to Web sites featuring content about America’s role in foreign conflicts, particularly in Libya and Ukraine.
Three of the links point to news, editorial articles and cartoons that accuse the United States of fomenting war and unrest in the name of Democracy in Ukraine, Syria, Egypt and Libya. One of the images shows four Molotov cocktails with the flags of those four nations on the bottles, next to a box of matches festooned with the American flag and match ready to strike. Another link leads to an image of the current armed conflict in Ukraine between Ukrainian forces and pro-Russian separatists.
Krebs went on to explain that his own research suggests that Rescator, the underground crime store selling these stolen credit card numbers to identity thieves, is run by a programmer in Odessa, Ukraine, who admired the late Libyan dictator (and noted U.S. non-ally) Muammar Gadhafi, and also blames the U.S. for the collapse of the U.S.S.R. and the rise of “Western globalism.”
Of course, despite such anti-American pro-Russian nationalist rants, it's still very probable that the thieves' primary motivation was financial gain, and the anti-American commentary, though sincere, is primarily a marketing ploy: even among identity thieves, “I'm using this stolen data to fight U.S. hegemony!” probably sounds better than “I'm using this to steal money for myself!”