How hackers stole millions of credit card records from Target

How did the cyberattack on Target, which resulted in the theft of millions of records, take place?
Written by Charlie Osborne, Contributing Writer
credit cnet
Credit: CNET

Millions of U.S. citizens had their financial information and personal data stolen due to a security breach at Target, and it may be that a phishing email campaign is to blame.

Reported by cybersecurity expert Brian Krebs on Wednesday, a third-party heating and air-conditioning contractor may have provided the avenue for infiltration of Target systems -- thanks to a phishing email campaign that at least one employee succumbed to.

The breach at U.S. retailer Target -- taking place in November 2013 -- resulted in the theft of at least 40 million customer records containing financial data such as debit and credit card information. In addition, roughly 70 million accounts were compromised that included addresses and mobile numbers.

The data theft was caused by the installation of malware on the firm's point of sale machines, thought to be accessed via third-party vendors with security flaws in their systems, which provided the bridge for hackers to break in to Target.

The subsequent file dump containing customer data is reportedly flooding the black market, where it could be used to pilfer cash from accounts, be the starting point for the manufacture of fake bank cards, or provide data required for identity theft.

According to Krebs, sources close to the investigation say that credentials were stolen from Fazio Mechanical in a malware-injecting phishing attack sent to employees of the firm by email. Believed to have begun two months before the subsequent data theft, the campaign has been linked to the Citadel malware -- a password stealing program related to the Zeus banking trojan.

In a statement (.pdf), Fazio said it could not comment on the technical details of the breach, but admitted the firm was "a victim of a sophisticated cyber attack operation," and "is not the subject of the federal investigation." In addition, Fazio maintains its IT system and security measures are in "full compliance" with industry practices.

However, as Krebs notes, the firm's primary security protection was through the free version of Malwarebytes Anti-Malware. While suitable for individual consumers and good as a clean-up program, the free version is not permitted for use on corporate systems and should not be used as a sole provider of protection -- especially on business networks -- as it does not provide a real-time scanner unless the Pro version is purchased.

Target is currently working with the U.S. Secret Service and FBI to investigate the breach and attempt to track down the cyberattacks. However, the retailer is not alone as a high-profile victim of cyberattack -- in January, U.S. retailer Neiman Marcus Group admitted its own security breach which resulted in credit card scraping of 1.1 million customers.

Editorial standards