Target Breach: Phishing Attack ImplicatedReport suggests malware-laced email attack on Target's HVAC subcontractor leaked access credentials for retailer's network.
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)
Did the breach of Target begin with a phishing attack? Investigators suspect attackers initially gained access to Target's network using credentials obtained from heating, ventilation, and air-conditioning (HVAC) subcontractor Fazio Mechanical Services via a phishing attack, security reporter Brian Krebs reported Wednesday, citing unnamed sources with knowledge of the government's investigation into the Target breach.
Fazio Mechanical Services, which is based in Sharpsburg, Penn., reportedly fell victim to the related phishing attack at least two months prior to the time the attackers siphoned 40 million credit and debit cards from Target's point-of-sale (POS) systems, said Krebs.
The theft of payment card data from Target began on Nov. 27. Target confirmed the breach on Dec. 15, but it took until Dec. 18 before the retailer fully scrubbed the attackers' POS malware from its payment systems and arrested the payment card data exfiltration.
[Businesses need to step it up when it comes to data breach notifications. Read Data Breach Notifications: Time For Tough Love.]
Last week, Fazio Mechanical Services president and owner Ross E. Fazio issued a statement confirming that his company has been assisting the Secret Service with its investigation into the Target breach. He emphasized that his company is not a target of that investigation.
After the news broke last week that Fazio Mechanical Services was tied to the Target breach, many security experts questioned whether the retailer's attackers had hacked into an Internet-accessible -- and vulnerable -- HVAC system. But according to Fazio, his company does not perform remote monitoring or control of heating, cooling, or refrigeration systems for Target.
Rather, his company's access to Target's network was limited to business-related administrative purposes. "Our data connection with Target was exclusively for electronic billing, contract submission, and project management, and Target is the only customer for whom we manage these processes on a remote basis," he said. "No other [Fazio] customers have been affected by the breach."
Multiple sources told Krebs that the phishing email that compromised Fazio's systems included a Citadel Trojan, which is botnet-controlled financial malware based on the Zeus source code. A study of banking Trojans released this week by Dell SecureWorks described Citadel's use by criminals as "ubiquitous" and said that the attackers behind the Citadel Trojan have "made concerted efforts to spread Citadel using spam campaigns and drive-by download attacks using different exploit kits." Dell SecureWorks said that it was tracking more than 900 Citadel command-and-control servers in 2013.
Citadel malware includes the ability to relay video recordings of all Internet sessions to its controllers, and to log keystrokes automatically, as well as FTP and POP3 email credentials. According to the Dell SecureWorks report, the malware also packs a variety of security software evasion techniques, including "aggressive DNS filtering" to prevent infected hosts from connecting to security sites or receiving antivirus software and signature updates.
What culpability might the HVAC contractor have in the Target breach if its systems were used as a stepping stone by attackers? Fazio's statement suggested that the company's security infrastructure is robust, noting that "our IT system and security measures are in full compliance with industry practices." But he declined to elaborate on what those industry practices might be.
If his company was felled by a phishing attack -- packing Citadel malware or not -- it wouldn't be the first organization to be so compromised. EMC-owned security giant RSA, multiple US defense contractors, and the White House have also fallen victim to such attacks.
What are the odds that the HVAC subcontractor was compromised by a targeted attack? In fact, most phishing attacks tend to be highly automated. They focus on target quantity over quality. In other words, it's quite likely that Fazio was exploited by chance, with the gang behind the attacks only discovering the company's connection to Target after it had a chance to review data that had been automatically harvested by its malware. At that point, the attackers could have conducted more detailed reconnaissance of the retailer's network.
Krebs said it wouldn't have been difficult for attackers to case the external-facing network to which Fazio had access. "Target may have inadvertently made it easier for the attackers in this case, in part by leaving massive amounts of internal documentation for vendors on its various public-facing web properties that do not require a login," he said. "Indeed, many of these documents would be a potential gold mine of information for an attacker."
Target's public-facing Supplier Portal includes detailed information about how company subcontractors should communicate with the company and submit invoices. As Krebs reported, a number of Excel documents shared via that portal include metadata that attackers could use to identify the Windows usernames of Target employees, as well as the names of internal Windows domains.
What's still not clear, however, is how attackers might have parlayed Fazio's access credentials for Target's electronic billing, contracts, or project management system into full-blown access to the retailer's IT network and payment processing systems.
Tech Marketing 360 is the only event dedicated to technology marketers. Discover the most current and cutting-edge innovations and strategies to drive tech marketing success, and hear from and engage with companies like Mashable, Dun & Bradstreet, ExactTarget, IDC, Microsoft, LinkedIn, Oracle, Leo Burnett, Young & Rubicam, Juniper Networks, and more -- all in an intimate, upscale setting. Register for Tech Marketing 360 today. It happens Feb. 18-20, 2014, in Dana Point, Calif.
Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio