Although news about Target
’s huge data breach broke almost two months ago
, the post-mortem has persisted, and a security
firm has posted
a detailed breakdown of what went wrong. The story is unnerving, to say the least, as it’s not so much about system-wide failures or anything so big as it is about how all it takes for a body with so many moving parts to fall apart is one weak link and some good old-fashioned phishing.
It’s already been established that the breach appears to have emanated from a malware
email phishing attack on a Pennsylvania HVAC company called Fazio Mechanical that contracts with Target. The thief made off with network credentials that Target had issued the company using what was likely the password-swiping Citadel malware.
KrebsOnSecurity reported that Fazio Mechanical was using the free version of Malwarebytes Anti-Malware for protection, which was problematic because the free version doesn’t have real-time protection--only on-demand malware scanning.
Once the cybercriminals had those network credentials, it was all downhill. They accessed Ariba, the third-party payment system that Target uses for contractors, as well as Target’s Partners Online and Property Development Zone Portal.
KrebsOnSecurity spoke to an unnamed former member of Target’s network security who speculated that the hackers may have then used a backdoor to gain entry to Target’s own systems. “I know that the Ariba system has a back end that Target administrators use to maintain the system and provide vendors with login credentials, [and] I would have to speculate that once a vendor logs into the portal they have active access to the server that runs the application,” said the source.
The fact that it was Fazio Mechanical that turned out to be the weak link in the chain is probably ultimately coincidental, as the company was likely one of many that were caught up in a shotgun blast-style email phishing effort. The hackers--and anyone else--likely uncovered a public Target web page that lists many of the companies Target contracts with as well as a page that details how to submit work orders. Microsoft Excel documents on the page contain metadata including the Windows username of the person who last edited a given file as well as an easily decipherable code for the server location where the file resides. That information would have made it easier for the hackers to finish harvesting and moving the pilfered data.
Again, what’s most disturbing about this case is that the hackers were able to launch a phishing attack using what is essentially publicly available data. And even if those vendor lists and work order submission instructions were password-protected, that’s information that all vendors who work with Target would know, so it’s not like that information would be terribly difficult to come by.
True, Fazio Mechanical should have had better malware protection, and it’s possible that Target payment system was not completely in compliance with PCI security standards, but given the above, how many major companies are vulnerable to the same type of attack?