12:32 PM

Target Breach: Phishing Attack Implicated

Report suggests malware-laced email attack on Target's HVAC subcontractor leaked access credentials for retailer's network.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

Did the breach of Target begin with a phishing attack? Investigators suspect attackers initially gained access to Target's network using credentials obtained from heating, ventilation, and air-conditioning (HVAC) subcontractor Fazio Mechanical Services via a phishing attack, security reporter Brian Krebs reported Wednesday, citing unnamed sources with knowledge of the government's investigation into the Target breach.

Fazio Mechanical Services, which is based in Sharpsburg, Penn., reportedly fell victim to the related phishing attack at least two months prior to the time the attackers siphoned 40 million credit and debit cards from Target's point-of-sale (POS) systems, said Krebs.

The theft of payment card data from Target began on Nov. 27. Target confirmed the breach on Dec. 15, but it took until Dec. 18 before the retailer fully scrubbed the attackers' POS malware from its payment systems and arrested the payment card data exfiltration.

[Businesses need to step it up when it comes to data breach notifications. Read Data Breach Notifications: Time For Tough Love.]

Last week, Fazio Mechanical Services president and owner Ross E. Fazio issued a statement confirming that his company has been assisting the Secret Service with its investigation into the Target breach. He emphasized that his company is not a target of that investigation.

After the news broke last week that Fazio Mechanical Services was tied to the Target breach, many security experts questioned whether the retailer's attackers had hacked into an Internet-accessible -- and vulnerable -- HVAC system. But according to Fazio, his company does not perform remote monitoring or control of heating, cooling, or refrigeration systems for Target.

Rather, his company's access to Target's network was limited to business-related administrative purposes. "Our data connection with Target was exclusively for electronic billing, contract submission, and project management, and Target is the only customer for whom we manage these processes on a remote basis," he said. "No other [Fazio] customers have been affected by the breach."

Multiple sources told Krebs that the phishing email that compromised Fazio's systems included a Citadel Trojan, which is botnet-controlled financial malware based on the Zeus source code. A study of banking Trojans released this week by Dell SecureWorks described Citadel's use by criminals as "ubiquitous" and said that the attackers behind the Citadel Trojan have "made concerted efforts to spread Citadel using spam campaigns and drive-by download attacks using different exploit kits." Dell SecureWorks said that it was tracking more than 900 Citadel command-and-control servers in 2013.

Citadel malware includes the ability to relay video recordings of all Internet sessions to its controllers, and to log keystrokes automatically, as well as FTP and POP3 email credentials. According to the Dell SecureWorks report, the malware also packs a variety of security software evasion techniques, including "aggressive DNS filtering" to prevent infected hosts from connecting to security sites or receiving antivirus software and signature updates.

What culpability might the HVAC contractor have in the Target breach if its systems were used as a stepping stone by attackers? Fazio's statement suggested that the company's security infrastructure is robust, noting that "our IT system and security measures are in full compliance with industry practices." But he declined to elaborate on what those industry practices might be.

If his company was felled by a phishing attack -- packing Citadel malware or not -- it wouldn't be the first organization to be so compromised. EMC-owned security giant RSA, multiple US defense contractors, and the White House have also fallen victim to such attacks.

What are the odds that the HVAC subcontractor was compromised by a targeted attack? In fact, most phishing attacks tend to be highly automated. They focus on target quantity over quality. In other words, it's quite likely that Fazio was exploited by chance, with the gang behind the attacks only discovering the company's connection to Target after it had a chance to review data that had been automatically harvested by its malware. At that point, the attackers could have conducted more detailed reconnaissance of the retailer's network.

Krebs said it wouldn't have been difficult for attackers to case the external-facing network to which Fazio had access. "Target may have inadvertently made it easier for the attackers in this case, in part by leaving massive amounts of internal documentation for vendors on its various public-facing web properties that do not require a login," he said. "Indeed, many of these documents would be a potential gold mine of information for an attacker."

Target's public-facing Supplier Portal includes detailed information about how company subcontractors should communicate with the company and submit invoices. As Krebs reported, a number of Excel documents shared via that portal include metadata that attackers could use to identify the Windows usernames of Target employees, as well as the names of internal Windows domains.

What's still not clear, however, is how attackers might have parlayed Fazio's access credentials for Target's electronic billing, contracts, or project management system into full-blown access to the retailer's IT network and payment processing systems.

Tech Marketing 360 is the only event dedicated to technology marketers. Discover the most current and cutting-edge innovations and strategies to drive tech marketing success, and hear from and engage with companies like Mashable, Dun & Bradstreet, ExactTarget, IDC, Microsoft, LinkedIn, Oracle, Leo Burnett, Young & Rubicam, Juniper Networks, and more -- all in an intimate, upscale setting. Register for Tech Marketing 360 today. It happens Feb. 18-20, 2014, in Dana Point, Calif.

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
2/14/2014 | 9:58:33 AM
My Theory
They captured credentials from Fazio when they logged into Target's network and subsequently when they logged into an in-store HVAC console.  The console was likely good ole Windows XP, not patched and no malware detection.  The credentials were probably also a "local admin" meaning they owned that console and could install anything they wanted on it and use it to determine how to compromise the router to allow POS VLAN access or, if the HVAC system was wireless, compromise an in-store Wireless network.  Once on that network, it probably wasn't hard to use a remote execution attack against Windows XP-based POS systems that might have also been missing critical patches making them vulnerable to remote attacks.
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
2/14/2014 | 9:56:03 AM
Random or targeted
When I saw the headline, I assumed the attackers had identified the HVAC company as a Target supplier and deliberately went after them with a spear-phishing attack. But if it was just a random chance (a fishing expedition?), these guys stumbled across a good one. That said, the attackers seemed really prepared to exploit the opportunity, so maybe they had retailers in mind from the outset.
<<   <   Page 2 / 2
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.