It’s one more layer in what is emerging as a sophisticated, multi-pronged offensive against the big-box retailer. It was previously reported that the attackers used purloined network credentials from a third-party HVAC contractor to break into Target’s corporate system and remotely upload the BlackPOS point-of-sale malware to retail locations nationwide. From there, they were able to skim personal and credit and debit card info from millions of people that visited Target locations during the busy Thanksgiving-to-Christmas shopping period. Now, researcher Brian Krebs has learned from his sources that it all started months earlier than thought with a malicious mail attack on Fazio Mechanical.
The heating, air conditioning and refrigeration firm, based in Sharpsburg, Pa., has acknowledged that it was “the victim of a sophisticated cyber-attack operation.” It was on contract with Target to monitor and maintain environmental conditions at its stores, according to sources. And it had a data connection to Target that was used exclusively for electronic billing, contract submission and project management – but which connected to a Target server that somehow had exposure to the rest of the corporate network. Krebs said that he has learned that the thieves appeared well aware of this even if Target and Fazio thought the network was properly segmented, because employees at the firm began receiving malware-laden mail at least two months before the PoS attack started.
Two of those sources said that the mail contained the password-stealing baddie of the banking world, Citadel – but that’s not confirmed. In any event, the malware wasn’t detected in time to prevent credentials from being lifted – because Fazio was using a free copy of a consumer security software that is prohibited for corporate use, Krebs reported.
The free version of Malwarebytes Anti-Malware “is an on-demand scanner that does not offer real-time protection against threats (the Pro version of MBAM does include a real-time protection component),” Krebs said, “made explicitly for individual users and its license prohibits corporate use.” If the information is correct – and Fazio is declining comment on the matter – it’s a shocking oversight for a corporate contractor. Yet Fazio has maintained that “our IT system and security measures are in full compliance with industry practices.”
Of course, the alleged failings at Fazio would have meant nothing had Target required two-factor authentication for all remote network access, by personnel and third parties alike. A source told Krebs that Target enforced this only “in rare cases.” If true, this would put Target out of compliance with payment card industry (PCI) security standards, and therefore on the hook for some heavy fines.
“Only the vendors in the highest security group — those required to directly access confidential information — would be given a token, and instructions on how to access that portion of the network,” the source told Krebs. “Target would have paid very little attention to vendors like Fazio, and I would be surprised if there was ever even a basic security assessment done of those types of vendors by Target.”
Target has not commented on the accusations, citing the ongoing investigation into what's happened.
It’s clear that the thieves took a comprehensive and well-thought out approach to the hack; and using targeted, social engineering-based mails is a well-worn and oft-proven place to start out. Target’s supplier portal is publicly available, Krebs said, and offers information on who those third parties are – making the perpetrators’ job that much easier to get the ball rolling.