More Breaches More Trouble at the Home Depot and eBay
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
SecurityScorecard More Breaches More Trouble at the Home Depot and eBay ThreatScape Analysis of Recent Retail Breaches at Home Depot Overview During the second half of CY 2014 several large retail corporations in the United States experienced data breaches. This SecurityScoreacrd ThreatScape Analysis examines available intelligence surrounding two major retailers that announced breaches within several months of each other, Home Depot and eBay. Home Depot is a big box home improvement chain that conducts the majority of its business in brick and mortar stores nationwide. In September 2014, Home Depot announced a breach of its credit card data. The stolen data consisted of magnetic stripes that allow for cloning of credit cards for fraudulent use. According to media reports, it is estimated that more than 60 million customers were impacted and fraud losses have to potential to total in excess of $2 billion. Earlier in the year, eBay announced a breach of proprietary user data. eBay is a multifaceted ecommerce website. The exfiltrated data included usernames, emails, encrypted passwords and other bits of personal identity information. The theft was reported to have occurred over a period of months. The data could be used for auction fraud and any other type of fraud connected to a user’s online identity. ebay didn’t specifically reveal how many accounts were exposed. A spokeswoman said the breach affected “a large number of accounts.” The way the two retailers conduct business is as different, as the data that was exfiltrated. However, both incidents have unique resell value in the underground. More importantly, and both breaches were seemingly predictable through the analysis and visualization of certain aspects of intelligence feeds that indicated trouble before the public announcement. Home Depot SecurityScorecard found Home Depot’s security health to be poor (Fig. 1). Fig.1 SecurityScorecard for Home Depot, September 2014 Between May 2014 and September 2014, there was a noticeable increase in malware on the Home Depots network (Fig. 2). The breach announcement was made September 2014. Leveraging public intelligence, SecurityScorecard showed a spike occurred in early May and continued for months. This information could have been an early warning indicator that something was very wrong within Home Depot’s corporate network infrastructure. SecurityScorecard Always Know. 1
Fig 2 Detected public malware presence on Home Depot network, from March – September 2014 As is seen after such intrusions, the Home Depot stock price (NYSE: HD), dropped during the announcement of the breach (Fig. 3). While the stock of most publiclyheld companies experience a rebound in the months following the announcement of a breach, retailers must contend with reputational damage the is often not so easily repaired, producing negative consequences on business performance over time. Fig 3 Home Depot stock price (3 month ticker) shows share price drop following breach announcement eBay Like Home Depot, SecurityScorecard found that eBay had poor enterprise network health. eBay achieved a low grade in endpoint security as well as a mediocre score in network defense security. These conditions could have allowed for a successful breach and exfiltration. Fig.4 SecurityScorecard for Ebay.com September 2014 SecurityScorecard Always Know. 2
A noticeable boost in malware infections occurred between May 2014 and September 2014 (Fig. 5) on eBay’s network; almost identical to the Home Depot infection timeline. Unlike Home Depot, eBay announced the breach in early in May. Fig 5 Detected public malware presence on eBay network from March–September 2014 The infection intelligence information could have been an early warning indicator that something was awry within the corporate network infrastructure, possibly prompting the breach announcement. The predictable drop in stock price (Fig. 6) was experienced by eBay when it the breach after discovery, but have subsequently recovered from the decline in price. Fig 6 Stock movement for eBay surrounding breach announcement (3 month) SecurityScorecard Always Know. 3
Reasons for Malware Infection Poor endpoint security and mediocre defenses allowed for a persistent malware infection of both retailers’ websites. Outdated browsers were detected as being used in both enterprise environments, which likely made way the observed malware infections possible. Analysis of detected malware trends indicated a majority of infection emanating from both corporations was AdWare which often comes from “Loader” style malware. Loaders are able to download and execute virtually any type of executable file stealthily. They are also used in spam campaigns and as targeted data theft campaigns. The reason this malware was able to function and extract the data successfully is possibly a result of poor network security that may not have been configured to detect the exfiltration of data until it was too late. For companies that are or could face this crisis, detecting this type of malicious activity is done through the use of an IDS/IPS, log analysis, alerting systems and updated antivirus solutions on both the client machine and server. The Need to Heed Hacker Chatter ebay account credentials have long been sought by individuals who want to perpetuate auction fraud. They seek to either make purchases using compromised accounts or create fake listings using an aged account to dupe an unsuspecting users into parting ways with their money. SecurityScorecard chatter sensors are able to detect discussion about the use of compromised eBay credentials (Fig. 7). Fig 7 Individual seeking purchase hacked Ebay/Paypal credentials Just as ecommerce logins are of value so too are stolen credit cards. The cards come in two forms primarily, “dumps” and “cvvs.” “Dumps” consist of magnetic stripe data that can be encoded onto blank credit cards. CVVs consist of the numeric information along with the billing address needed to make online purchases with the card. The realm in which hacker chatter occurs is a virtual bazaar for the sale and resale of stolen credit card data. SecurityScorecard sensors identify discussion about the sale and resale of stolen credit card card data (Fig. 8). Fig 8 Cards for sale identified SecurityScorecard Always Know. 4
Conclusion
The availability, analysis, and visualization of public intelligence related to malware infection, network
security posture, underground chatter and other key risk vectors allows for the collection and profiling of the
danger posed to the Internet presence of enterprise organizations. Both Home Depot and eBay experienced
increases in malware infections. The rise in detected infections prior to breach announcement can serve
as an early indicator for future breaches of targeted industry verticals. Chatter can then be analyzed to see
what types of stolen data is being monetized by the underground and businesses can better understand what
assets are being targeted after a successful breach. Of course, this insight can allow an enterprise to be better
prepared to curtail a breach or, short of that, contain the damage.
Glossary
Adware Malicious software that displays unwanted advertisements, often used by ‘Loader’
features to monetize Botnets.
Botnet Network of infected computers under the control of an administrator
Chatter Public discussion about topics of interest
CVV Credit card number along with 3 digit code and billing address. Used for online purchases.
Dumps Magnetic stripe data contained on a credit card. Uses for in store fraud.
Loader Malware feature that allows the remote download and execution of additional malicious software
About SecurityScorecard
SecurityScorecard, Inc. helps organizations in today’s increasingly interconnected world better manage all key
risks their information systems and those of their partners face every second of every day.
Security Scorecard is the only fullyautomated security grading service that looks at all the key potential risks. It
gives deeper insight into malware activity, social engineering, website vulnerabilities, network exploits, leaked
corporate credentials, breach history reports, and more.

Security Scorecard Inc. is privatelyheld with headquarters in New York, NY. Founded in 2013,
Security Scorecard investors include Evolution Equity, /bold/start and Atlas Ventures, among others.
For further information, please visit www.securityscorecard.com.
SecurityScorecard Always Know. 5You can also read
