Now that Home Depot has confirmed its payment data systems were breached, industry experts weigh the possibility that the same point-of-sale malware may have hit the home-improvement giant as well as Target Corp., Sally Beauty, P.F. Chang's and other recently breached retailers.

On Sept. 8, Home Depot acknowledged that its payments data system had been attacked by malware that may have compromised debit and credit data used for purchases made at stores in the U.S. and Canada. PINs associated with debit transactions, the retailer says, were not exposed.

This week, security blogger Brian Krebs, who broke news of the alleged Home Depot breach on Sept. 2, reported that investigators determined that a portion of Home Depot's terminals had been infected by a newly discovered variant of BlackPOS, the same malware thought to have compromised Target.

Although they stop short of confirming that the Home Depot, Target and other breaches are definitively tied to BlackPOS, other industry sources acknowledge that the malware continues to evolve. And they say BlackPOS has likely compromised numerous U.S. retailers, many of which have not yet confirmed or even discovered a card data compromise.

On Aug. 29, security firm Trend Micro blogged about a new BlackPOS variant it had uncovered in the wild, labeling it TSPY_MEMLOG.A. "Based on our analysis, this POS malware uses a new custom search routine to check the RAM [random-access memory] for [card] track data," writes Trend Micro researcher Rhena Inocencio. "These custom search routines have replaced the regex search in newer PoS malware."

Trend Micro executives declined to speculate about whether this new variant or some other variant of BlackPOS is the one that targeted Home Depot.

But Avivah Litan, a financial fraud expert who's an analyst at the consultancy Gartner, says that most retail malware attacks, including those involving BlackPOS as well as the Backoff malware that targets remote-access software, are connected in some way.

"All the retail breaches using a variant of the BlackPOS malware are linked technically," Litan explains. "It's not clear how many gangs are behind these multiple attacks, but the fraudsters are definitely sharing technical tools and software code - either directly or indirectly."

Litan also says she believes Backoff, which the Department of Homeland Security on Aug. 22 estimated had compromised more than 1,000 U.S. businesses, also is a variant of BlackPOS.

She contends that it's safe to assume that most leading U.S. retailers have been or will be targeted by some variant of this evolving malware strain.

"This is obviously an epidemic, and the only victim companies being reported in the press are the ones that are disclosed by various researchers and reporters," Litan adds. "At this point, I think it's safe to assume almost every top retailer has either been attacked or is on a list to be attacked. The only ones surviving and fending the attacks off are the ones that have implemented point-to-point encryption and tokenization - the malware doesn't work in those environments."

Ironically, Target's new CIO, Bob DeRodes, formerly worked in a senior technology position at Home Depot.

Mitigating Risks