Target Breach: Phishing Attack Implicated

  /     /     /  
Publicated : 22/11/2024   Category : security


Target Breach: Phishing Attack Implicated


Report suggests malware-laced email attack on Targets HVAC subcontractor leaked access credentials for retailers network.



9 Notorious Hackers Of 2013 (Click image for larger view and for slideshow.)
Did the breach of Target begin with a phishing attack? Investigators suspect attackers initially gained access to Targets network using credentials obtained from heating, ventilation, and air-conditioning (HVAC) subcontractor Fazio Mechanical Services via a phishing attack, security reporter Brian Krebs
reported
Wednesday, citing unnamed sources with knowledge of the governments investigation into the Target breach.
Fazio Mechanical Services, which is based in Sharpsburg, Penn., reportedly fell victim to the related phishing attack at least two months prior to the time the attackers
siphoned 40 million credit and debit cards
from Targets point-of-sale (POS) systems, said Krebs.
The theft of payment card data from Target began on Nov. 27. Target confirmed the breach on Dec. 15, but it took until Dec. 18 before the retailer fully scrubbed the attackers POS malware from its payment systems and arrested the payment card data exfiltration.
[Businesses need to step it up when it comes to data breach notifications. Read
Data Breach Notifications: Time For Tough Love
.]
Last week, Fazio Mechanical Services president and owner Ross E. Fazio
issued a statement
confirming that his company has been assisting the Secret Service with its investigation into the Target breach. He emphasized that his company is not a target of that investigation.
After the news broke last week that
Fazio Mechanical Services was tied to the Target breach
, many security experts questioned whether the retailers attackers had hacked into an Internet-accessible -- and vulnerable -- HVAC system. But according to Fazio, his company does not perform remote monitoring or control of heating, cooling, or refrigeration systems for Target.
Rather, his companys access to Targets network was limited to business-related administrative purposes. Our data connection with Target was exclusively for electronic billing, contract submission, and project management, and Target is the only customer for whom we manage these processes on a remote basis, he said. No other [Fazio] customers have been affected by the breach.
Multiple sources told Krebs that the phishing email that compromised Fazios systems included a
Citadel Trojan
, which is botnet-controlled financial malware based on the Zeus source code. A
study of banking Trojans
released this week by Dell SecureWorks described Citadels use by criminals as ubiquitous and said that the attackers behind the Citadel Trojan have made concerted efforts to spread Citadel using spam campaigns and drive-by download attacks using different exploit kits. Dell SecureWorks said that it was tracking more than 900 Citadel command-and-control servers in 2013.
Citadel malware includes the ability to relay video recordings of all Internet sessions to its controllers, and to log keystrokes automatically, as well as FTP and POP3 email credentials. According to the Dell SecureWorks report, the malware also packs a variety of security software evasion techniques, including aggressive DNS filtering to prevent infected hosts from connecting to security sites or receiving antivirus software and signature updates.
What culpability might the HVAC contractor have in the Target breach if its systems were used as a stepping stone by attackers? Fazios statement suggested that the companys security infrastructure is robust, noting that our IT system and security measures are in full compliance with industry practices. But he declined to elaborate on what those industry practices might be.
If his company was felled by a phishing attack -- packing Citadel malware or not -- it wouldnt be the first organization to be so compromised. EMC-owned
security giant RSA
,
multiple US defense contractors
, and the
White House
have also fallen victim to such attacks.
What are the odds that the HVAC subcontractor was compromised by a targeted attack? In fact, most phishing attacks tend to be highly automated. They focus on target quantity over quality. In other words, its quite likely that Fazio was exploited by chance, with the gang behind the attacks only discovering the companys connection to Target after it had a chance to review data that had been automatically harvested by its malware. At that point, the attackers could have conducted more detailed reconnaissance of the retailers network.
Krebs said it wouldnt have been difficult for attackers to case the external-facing network to which Fazio had access. Target may have inadvertently made it easier for the attackers in this case, in part by leaving massive amounts of internal documentation for vendors on its various public-facing web properties that do not require a login, he said. Indeed, many of these documents would be a potential gold mine of information for an attacker.
Targets public-facing
Supplier Portal
includes detailed information about how company subcontractors should communicate with the company and submit invoices. As Krebs reported, a number of Excel documents shared via that portal include metadata that attackers could use to identify the Windows usernames of Target employees, as well as the names of internal Windows domains.
Whats
still not clear
, however, is how attackers might have parlayed Fazios access credentials for Targets electronic billing, contracts, or project management system into full-blown access to the retailers IT network and payment processing systems.
Tech Marketing 360
is the only event dedicated to technology marketers. Discover the most current and cutting-edge innovations and strategies to drive tech marketing success, and hear from and engage with companies like Mashable, Dun & Bradstreet, ExactTarget, IDC, Microsoft, LinkedIn, Oracle, Leo Burnett, Young & Rubicam, Juniper Networks, and more -- all in an intimate, upscale setting. Register for
Tech Marketing 360
today. It happens Feb. 18-20, 2014, in Dana Point, Calif.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Target Breach: Phishing Attack Implicated