Attacks/Breaches
2/13/2014
12:32 PM
Connect Directly
RSS
E-Mail
50%
50%

Target Breach: Phishing Attack Implicated

Report suggests malware-laced email attack on Target's HVAC subcontractor leaked access credentials for retailer's network.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

Did the breach of Target begin with a phishing attack? Investigators suspect attackers initially gained access to Target's network using credentials obtained from heating, ventilation, and air-conditioning (HVAC) subcontractor Fazio Mechanical Services via a phishing attack, security reporter Brian Krebs reported Wednesday, citing unnamed sources with knowledge of the government's investigation into the Target breach.

Fazio Mechanical Services, which is based in Sharpsburg, Penn., reportedly fell victim to the related phishing attack at least two months prior to the time the attackers siphoned 40 million credit and debit cards from Target's point-of-sale (POS) systems, said Krebs.

The theft of payment card data from Target began on Nov. 27. Target confirmed the breach on Dec. 15, but it took until Dec. 18 before the retailer fully scrubbed the attackers' POS malware from its payment systems and arrested the payment card data exfiltration.

[Businesses need to step it up when it comes to data breach notifications. Read Data Breach Notifications: Time For Tough Love.]

Last week, Fazio Mechanical Services president and owner Ross E. Fazio issued a statement confirming that his company has been assisting the Secret Service with its investigation into the Target breach. He emphasized that his company is not a target of that investigation.

After the news broke last week that Fazio Mechanical Services was tied to the Target breach, many security experts questioned whether the retailer's attackers had hacked into an Internet-accessible -- and vulnerable -- HVAC system. But according to Fazio, his company does not perform remote monitoring or control of heating, cooling, or refrigeration systems for Target.

Rather, his company's access to Target's network was limited to business-related administrative purposes. "Our data connection with Target was exclusively for electronic billing, contract submission, and project management, and Target is the only customer for whom we manage these processes on a remote basis," he said. "No other [Fazio] customers have been affected by the breach."

Multiple sources told Krebs that the phishing email that compromised Fazio's systems included a Citadel Trojan, which is botnet-controlled financial malware based on the Zeus source code. A study of banking Trojans released this week by Dell SecureWorks described Citadel's use by criminals as "ubiquitous" and said that the attackers behind the Citadel Trojan have "made concerted efforts to spread Citadel using spam campaigns and drive-by download attacks using different exploit kits." Dell SecureWorks said that it was tracking more than 900 Citadel command-and-control servers in 2013.

Citadel malware includes the ability to relay video recordings of all Internet sessions to its controllers, and to log keystrokes automatically, as well as FTP and POP3 email credentials. According to the Dell SecureWorks report, the malware also packs a variety of security software evasion techniques, including "aggressive DNS filtering" to prevent infected hosts from connecting to security sites or receiving antivirus software and signature updates.

What culpability might the HVAC contractor have in the Target breach if its systems were used as a stepping stone by attackers? Fazio's statement suggested that the company's security infrastructure is robust, noting that "our IT system and security measures are in full compliance with industry practices." But he declined to elaborate on what those industry practices might be.

If his company was felled by a phishing attack -- packing Citadel malware or not -- it wouldn't be the first organization to be so compromised. EMC-owned security giant RSA, multiple US defense contractors, and the White House have also fallen victim to such attacks.

What are the odds that the HVAC subcontractor was compromised by a targeted attack? In fact, most phishing attacks tend to be highly automated. They focus on target quantity over quality. In other words, it's quite likely that Fazio was exploited by chance, with the gang behind the attacks only discovering the company's connection to Target after it had a chance to review data that had been automatically harvested by its malware. At that point, the attackers could have conducted more detailed reconnaissance of the retailer's network.

Krebs said it wouldn't have been difficult for attackers to case the external-facing network to which Fazio had access. "Target may have inadvertently made it easier for the attackers in this case, in part by leaving massive amounts of internal documentation for vendors on its various public-facing web properties that do not require a login," he said. "Indeed, many of these documents would be a potential gold mine of information for an attacker."

Target's public-facing Supplier Portal includes detailed information about how company subcontractors should communicate with the company and submit invoices. As Krebs reported, a number of Excel documents shared via that portal include metadata that attackers could use to identify the Windows usernames of Target employees, as well as the names of internal Windows domains.

What's still not clear, however, is how attackers might have parlayed Fazio's access credentials for Target's electronic billing, contracts, or project management system into full-blown access to the retailer's IT network and payment processing systems.

Tech Marketing 360 is the only event dedicated to technology marketers. Discover the most current and cutting-edge innovations and strategies to drive tech marketing success, and hear from and engage with companies like Mashable, Dun & Bradstreet, ExactTarget, IDC, Microsoft, LinkedIn, Oracle, Leo Burnett, Young & Rubicam, Juniper Networks, and more -- all in an intimate, upscale setting. Register for Tech Marketing 360 today. It happens Feb. 18-20, 2014, in Dana Point, Calif.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
awinter015
50%
50%
awinter015,
User Rank: Apprentice
3/11/2014 | 10:32:47 AM
Re: Target Data Breach - Fazio
agreed - but even if the HVAC company was given RDP access to use PM & Billing SW - there is no reason that they should have had access to anything other than what they required.  Even within SMB accounting software (Qucikbooks) you can restrict access to functions or files - so that could be one level of security. Another option could have been to provide them their own systems for them to use.

Even as a small IT Service company we have to go through PCI compliance.  Are these big companies too big that they dont have anyone who can see the big picutre?  Do they perform 3rd party security audits?  If so - why wasnt this found.  If not - wow - they hold millions of credit card numbers and probably lots of Personal Information which must be protected - and they did nothing to think about security?  Wow!
Dave122066
50%
50%
Dave122066,
User Rank: Apprentice
3/3/2014 | 4:42:58 PM
Target Data Breach - Fazio
For all that I have read here,  I have not heard anyone mention that Target may have given Fazio access to an RDP server to run necessary applications for billing and PM.  It sounds too easy, but definitley plausible.  In this case once the Fazio machine(s) was comprimised with maybe a key logger, the hackers identified the "link" when sifting thorugh their catch.  At that point the liability is on Target for allowing systems used for POS, etc to be exposed and vulnerable to systems that are external/clinet/contractor facing.  Fazio owns part of this, but Target has a the bulk of the responsiblity.

Could they have targeted Target exclusivley... YES.  There is tons of public info about contracts and... they also placed info on a public facing server / webpage.  Its my opinion that this is going to get real real messy for Fazio.  Target may recover, but will never be the same.  This on is just too big.
WKash
50%
50%
WKash,
User Rank: Apprentice
2/18/2014 | 4:09:10 PM
Re: Thanks for updating
rradina, you raise some interesting possibilities here.  I don't have enough information to comment on them, but one thing's for sure, it would be a great service to the community if forensics investigators shared what they learned and what steps companies should take, and should have taken.  True hackers will just find another way to exploit the IT ecosystem. But if companies do more to take a "neighborhood watch" approach, rather than minding their own "house's" security, hackers at least might look elswhere. 
rradina
50%
50%
rradina,
User Rank: Apprentice
2/18/2014 | 2:53:19 PM
Re: Thanks for updating
I missed that.  However, that raises new concerns.  If by "data connection", they mean some kind of private link with Target so they can perform these duties, it's not difficult to envision lax firewall rules or an unpatched "Intranet" server that was vulnerable.  Hackers owned Fazio's PC(s) so they could attack any system Fazio was capable of reaching through that data link.  Billing and project management servers are probably "Intranet" servers. They could have easily been running a dated and unsupported version of Windows because the software suite was not compatible with later versions.  Once compromised, it was behind the firewall on a VLAN that probably had broad access to many corporate data center resources (backup servers, file servers, database servers, etc.).  From there they could have hacked any number of systems until they found one that could talk to the retail POS systems.
WKash
50%
50%
WKash,
User Rank: Apprentice
2/18/2014 | 12:19:48 PM
Re: Thanks for updating
The point was, it does not appear that the hackers got to Target through the HVAC control systems, but rather...the contractor's access to Target's network was limited to business-related administrative purposes. As he was quoted here: "Our data connection with Target was exclusively for electronic billing, contract submission, and project management, and Target is the only customer for whom we manage these processes on a remote basis. No other [Fazio] customers have been affected by the breach."

How the hackers used that information to get to the credit card files is an important questions, still to be determined.

 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Apprentice
2/18/2014 | 12:20:40 AM
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
2/15/2014 | 4:49:22 PM
Re: Random or targeted
 

I have to think this was not random. At least to the point that they knew they were going to get into more by hacking Fazio. They must have known they had contracts with Target and others. What else did they hack and maybe no one has discovered it yet?
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
2/15/2014 | 4:42:28 PM
Who will be made responsible?
This will be interesting to see if the HVAC contractors are found to be liable in any way. I'm sure their security will be looked at closely.

 
rradina
50%
50%
rradina,
User Rank: Apprentice
2/15/2014 | 11:09:12 AM
Re: Thanks for updating
"What's still not clear, however, is how attackers might have parlayed Fazio's access credentials for Target's electronic billing, contracts, or project management system into full-blown access to the retailer's IT network and payment processing systems."

From the statement above, how do we know it was the accounting system? The quote is a "theory" because it uses the terms "might have".  Am I missing another story?

Until someone comes clean with incredible detail, we're all throwing mud at the wall. Granted, the more that comes out the closer our mud gets but we're still just guessing.  We don't even know if the credentials stolen via Fazio were instrumental before or after an initial breach.  We may never know unless we catch the perpetrators and they spill the beans.
WKash
50%
50%
WKash,
User Rank: Apprentice
2/14/2014 | 5:53:39 PM
Thanks for updating
Thanks for continuing to follow this story and set the record straight about the HVAC contractor implicated in the Target breach.  In particular: For making it clear, based on what now seems to be known, that the hackers used an accounting system, not the HVAC system to break in and that the contractor likely was unwittingly caught in a very large phish net. As the number of companies granting network exchange privileges to one another continues to grow, so will the collateral damage as hackers continue to perfect their skills.

 
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.