Security Firms Breaks Down What Went Wrong With Target Breach
It’s already been established that the breach appears to have emanated from a malware email phishing attack on a Pennsylvania HVAC company called Fazio Mechanical that contracts with Target. The thief made off with network credentials that Target had issued the company using what was likely the password-swiping Citadel malware.
KrebsOnSecurity reported that Fazio Mechanical was using the free version of Malwarebytes Anti-Malware for protection, which was problematic because the free version doesn’t have real-time protection--only on-demand malware scanning.
Once the cybercriminals had those network credentials, it was all downhill. They accessed Ariba, the third-party payment system that Target uses for contractors, as well as Target’s Partners Online and Property Development Zone Portal.
KrebsOnSecurity spoke to an unnamed former member of Target’s network security who speculated that the hackers may have then used a backdoor to gain entry to Target’s own systems. “I know that the Ariba system has a back end that Target administrators use to maintain the system and provide vendors with login credentials, [and] I would have to speculate that once a vendor logs into the portal they have active access to the server that runs the application,” said the source.
The fact that it was Fazio Mechanical that turned out to be the weak link in the chain is probably ultimately coincidental, as the company was likely one of many that were caught up in a shotgun blast-style email phishing effort. The hackers--and anyone else--likely uncovered a public Target web page that lists many of the companies Target contracts with as well as a page that details how to submit work orders. Microsoft Excel documents on the page contain metadata including the Windows username of the person who last edited a given file as well as an easily decipherable code for the server location where the file resides. That information would have made it easier for the hackers to finish harvesting and moving the pilfered data.
Again, what’s most disturbing about this case is that the hackers were able to launch a phishing attack using what is essentially publicly available data. And even if those vendor lists and work order submission instructions were password-protected, that’s information that all vendors who work with Target would know, so it’s not like that information would be terribly difficult to come by.
True, Fazio Mechanical should have had better malware protection, and it’s possible that Target payment system was not completely in compliance with PCI security standards, but given the above, how many major companies are vulnerable to the same type of attack?