How hackers stole millions of credit card records from Target

How hackers stole millions of credit card records from Target

Summary: How did the cyberattack on Target, which resulted in the theft of millions of records, take place?

TOPICS: Security, Malware
credit cnet
Credit: CNET

Millions of U.S. citizens had their financial information and personal data stolen due to a security breach at Target, and it may be that a phishing email campaign is to blame.

Reported by cybersecurity expert Brian Krebs on Wednesday, a third-party heating and air-conditioning contractor may have provided the avenue for infiltration of Target systems -- thanks to a phishing email campaign that at least one employee succumbed to.

The breach at U.S. retailer Target -- taking place in November 2013 -- resulted in the theft of at least 40 million customer records containing financial data such as debit and credit card information. In addition, roughly 70 million accounts were compromised that included addresses and mobile numbers.

The data theft was caused by the installation of malware on the firm's point of sale machines, thought to be accessed via third-party vendors with security flaws in their systems, which provided the bridge for hackers to break in to Target.

The subsequent file dump containing customer data is reportedly flooding the black market, where it could be used to pilfer cash from accounts, be the starting point for the manufacture of fake bank cards, or provide data required for identity theft.

According to Krebs, sources close to the investigation say that credentials were stolen from Fazio Mechanical in a malware-injecting phishing attack sent to employees of the firm by email. Believed to have begun two months before the subsequent data theft, the campaign has been linked to the Citadel malware -- a password stealing program related to the Zeus banking trojan.

In a statement (.pdf), Fazio said it could not comment on the technical details of the breach, but admitted the firm was "a victim of a sophisticated cyber attack operation," and "is not the subject of the federal investigation." In addition, Fazio maintains its IT system and security measures are in "full compliance" with industry practices.

However, as Krebs notes, the firm's primary security protection was through the free version of Malwarebytes Anti-Malware. While suitable for individual consumers and good as a clean-up program, the free version is not permitted for use on corporate systems and should not be used as a sole provider of protection -- especially on business networks -- as it does not provide a real-time scanner unless the Pro version is purchased.

Target is currently working with the U.S. Secret Service and FBI to investigate the breach and attempt to track down the cyberattacks. However, the retailer is not alone as a high-profile victim of cyberattack -- in January, U.S. retailer Neiman Marcus Group admitted its own security breach which resulted in credit card scraping of 1.1 million customers.

Topics: Security, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Blamed it on the HVAC guy?

    That will take a LOT of heat off us painters.
    • WINNER

      That's 1 for fm.usa, and 0 for the rest
    • They are to blame

      Target needs better security on their network but that air conditioning company only used the manual version of Malwarebytes. Yikes. That's only good for cleaning up the mess later. They could have downloaded free anti-virus software. That would have been better.
  • Blamed it on the HVAC guy?

    That will take a LOT of heat off us painters.
  • Let me get this straight.

    An Fazio employee fell for a phishing email, and gave away a password. Not Windows fault, it's a fleshware problem, many will say.

    Using the phished password, a Zeus derivative trojan, (Windows only program) was installed. So it must have been an admin password. How many times have I read nobody does insecure things like logging on as admin in Windows any more?

    Then, the trojan went undetected because a relativity small Heating/AC company was likely told they "must use Windows" for business, but they apparently don't have the IT budget to afford corporate malware subscriptions. How many times have I read "just use a free AV product"?

    Then the attack transfers to Target systems during environmental system maintenance, or in inter-company emails, I assume. Again, why is this maintenance, or email exchange being done with admin access? Perhaps because that is the only way Windows really works?

    While this attack may have started with human error, only with Windows' help could the attack net so much booty.

    When will people learn?
    • As Long As We're Making Assumptions

      The phishing attack installed malware that captured credentials from the HVAC folks. Those credentials allowed them to login to a system inside Target's firewalls. That system was an HVAC configuration console for in-store HVAC, cooler/freezer and energy management systems. Using that console, which was probably running an old version of Unix where it was easy to crack the root password, they ran a program to compromise the in-store Cicso router (which was using an old vulnerable version of IOS). The compromised router's ACLs were changed to permit the HVAC system to speak to the in-store POS subnet. Then a remote exploit, was executed against the POS systems. The POS systems were probably based on a poorly patched and poorly maintained Windows XP versions that were easy to compromise. Once compromised, the POS malware sent captured data to the HVAC controller. The router ACLs were also updated to permit the HVAC system to forward that information to external Internet-based servers.

      When will people learn that there is no "high ground" in these discussions? If there are bears in the woods, do you bet your life on replacing the tent flap with a steel door?
      • Problem with your assumsions

        My assumption are reasonable given the available info.
        Zeus only runs on Windows, so the Fazio, and Target's POS systems must be running Windows to have been infected.

        Your assumptions about old Unix and Cisco versions don't seem to explain why we have never heard of any of those 'old' systems, that have obviously been around for decades, being compromised even close to the extent Target was.
        • Reasonable?

          Fazio's office PCs and Target's POS run Windows. That's certain. The rest are assumptions by you and me. I just painted an alternate picture with a different agenda.

          Claiming someone FORCED Fazio to run Windows clients is a stretch. Target had a contract with them and they probably didn't give a hoot what they used in their office. Target probably didn't even care if they got infected thinking their office had no direct-connection to Target.

          In my scenario, it's highly improbable the HVAC management ran Unix. It probably ran Windows. It's also likely the credentials stolen in Fazio's office are a "local admin" on the HVAC console. The HVAC console is also probably XP, not patched and probably had no malware prevention mechanisms. It's a single task box plugged into a private network in an in-store VLAN that allows remote access in and probably some outbound alerting if an HVAC unit, freezer/cooler system or power management system throws a fault. I'm sure everyone thought it was low risk.

          The idea that the in-store Cicso router was running a dated version of IOS is totally plausible. The in-store Cisco router is very likely NOT exposed to the Internet but rather communicates to Target's data centers through a private MPLS WAN link. (Low risk environment). IOS is not flawless and perhaps whatever IOS version they were running had a buffer-overflow in the DNS-forwarder, NTP, DHCP or some other commonly used service that was casually available to the HVAC system to exploit. The fact that the intruders were able to compromise that system from the HVAC management console would be the furthest thing from Target's security radar. They didn't care about it because they had it locked down so that it could only do what the HVAC contractor needed it to do. They believe it's low risk and even it if gets infected, it cannot reach the POS VLAN as required by any good PCI audit. (POS VLANs are in-scope for a PCI Audit and the best practice is two-factor authentication to gain access to those VLANs.)

          Even if they didn't compromise the router, it's possible the HVAC system was wireless and Target may have operated a wireless POS VLAN for department SKU management, price check stations and/or line busting devices (speculation but plausible). Perhaps they were able to compromise the wireless system by sniffing packets from the HVAC system.

          Whatever worked at one target store, likely worked at most or even all stores because that's what efficient IT does. It creates a standard footprint so that it doesn't end up with a nasty n x n Cartesian product of configurations it has to decipher when a frantic Target store director raises a 911 at 9am and the store opens at 10am.

          Until someone explains in GREAT detail how things were compromised, my assumptions are as plausible as anyone's assumptions. The key difference in my assumptions is agenda. My agenda is to show that false security is replacing the tent flap with a steel door and hoping the bear doesn't approach the tent from the side or the rear. Any system in the store could be the random variable that leads to the unthinkable penetration.

          If the authority of a contractor working for the NSA is overlooked, it's absolutely plausible that Target overlooked the risk of an HVAC console located in a rarely used electrical closet in the back room.
    • Clearly, you have an agenda.

      I don't want to slow you down, but you shouldn't assume that using another OS would provide magical protection. Each OS requires competent system design and administration. Attached to those functions is a cost. Costs flow into budgets, and budgets get cut because "that department doesn't deliver profit".

      Windows has many recognized, manageable flaws, but I don't blame these breeches on the OS. A thief always aims for the weakest point on the weakest target. That doesn't prove the others are invincible.
      • Where did I say "others are invincible."?

        I do agree: "A thief always aims for the weakest point on the weakest target.".
        We seem to disagree on what that "weakest target" is.
  • Target Breach

    The next question is: why does the HVAC company have access to the Card Data Environment? The network handling payment data is supposed to be segregated from non-payment functions. It certainly sounds like Target did not employ basic security measures required by the Payment Card Industry standards.
  • From HVAC to point of sale. Ya, makes total sense.

    I supposed the next thing you want me to believe is that on 9/11, two dimensionally thinking individuals were able to take out 3 buildings with just two planes even though they could never have been trained to fly them because even the airlines didn't know what planes they were going to be flying that day. But hey, miracles happen. Rumor has it, they did such good job they were able to defy the laws of physics because the buildings fell at a free fall rate (i.e. zero resistance from the intact lower floors).

    My personal opinion is that the 1% folks are running a bit low on cash so they came up with another B.S. cover story so they can steal from the rest of us again. Should we feel fortunate that they didn’t slaughter thousands in the process this time?

    No matter, you can run but you can't hide.

    Gen 4:10
    “Listen! Your brother's blood cries out to me from the ground”
    • Debunking the 9/11 Myths: Special Report by Popular Mechanics
      • The Freedom of Capitalism - free to Corrupt

        Popular Mechanics is owned by the Hurst Corporation. They own over 300 media publications.

        Still believe in freedom of the press?

        How about too much concentration of power?

        How about absolute power corrupts absolutely?

        So tell me why no one from Whachoiva got arrested in the 400 Billion money laundering scheme even though the DEA knew all about it?

        Because the 1% folks don't play by the same rules as you and I. They own congress.

        So what do they do to keep themselves in power? They make up stories about fake bogey men and repeat it over in over in their 300+ publications.

        They just site there like salivating lapdogs waiting for the next billion dollar federal contract to be awarded to chase their fake suspects.
    • Listen! This fool's ignorance cries out to me from the Internet

      1) Any religious monkey can be trained to fly an airliner into a building. The really hard part, and why airline pilots are paid big bucks, is a smooth and safe landing in all kinds of weather and conditions.

      2) You are as ignorant of computers and networks as you are regarding 9/11.

      3) My favorite Biblical quote is Matthew 16:28: "Truly I say to you, there are some of those who are standing here who will not taste death until they see the Son of Man coming in His kingdom." Oops.
      • The Fat Lady Has not sung on this one yet

        And when she does, governments will likely fall.

        You should find out what Hundreds of Architects & Engineers have to say.

        I could be wrong about this, but I'm willing to bet I was writing CPU microcode while you were still in diapers. But I'm glad you like to mouth off about someone's credentials who you know absolutely nothing about. Very logical and thoroughly researched no less.
        • U

          R wrong.

        • What?

          You think because you write computer code it makes you more intelligent than other people. It means you have trained in a specific area and performed the duties for awhile. You may have more 'Training' and 'Experience in that specific area but in no way shows extreme intelligence. An idiot savant can do one thing very well, but only 'One' thing.
    • You need

      real help if you believe that 9/11 BS.
  • Fazio: gone phishing

    CharlieO wrote "While suitable for individual consumers and good as a clean-up program"

    The free version of Malwarebytes is outstanding as a removal service, but it does absolutely nothing in terms of protection because it has no real-time shield component. That's what you get with Malwarebytes Pro. So Fazio had ZERO protection according to KrebsOnSecurity.

    And Malwarebytes-free is not recognized by Windows as an anti-virus solution, so unless Fazio was running Windows 8 which includes Defender (or they downloaded MSE for free on 7, Vista, or XP), Windows Action Center would have complained about no anti-virus.

    If Fazio really was running only Malwarebytes-free, they are the HVAC equivalent to someone driving without seat belts and insurance.
    PC Cobbler