Hackers gained access to Target's computer system and stole financial and personal data of 110 million shoppers by tricking an employee at an outside vendor into clicking on a malicious email, according to a report Wednesday by security blogger Brian Krebs.
An employee at Fazio Mechanical, a Sharpsburg, Pa.-based heating, ventilation and air-conditioning company with access to Target's network, fell for a "spear phishing” attack, in which hackers send malware-laced emails that appear to come from trusted sources to take over victims' computers, according to Krebs, who cited sources close to the investigation.
Once hackers gained access to the employee's computer, they could enter Target's system and steal the retailer's payment card data, Krebs wrote. Fazio was reported last week to be the possible conduit through which hackers accessed Target's network, but the details of how the attack may have occurred are new.
The revelation highlights a central problem companies face as they try to secure their networks in a complex Web ecosystem. Although businesses invest millions of dollars every year in the fight against hackers, they are still vulnerable to the lax security measures of third parties that access their systems.
Tom Kellermann, the managing director of cyber protection at Alvarez & Marsal, a professional services firm, said hackers often research which outside contractors have remote access to the networks of large corporations because they make easier targets. Kellermann called the attack method "island hopping" and said "it's much more common than you think."
“There’s a lack of due diligence with third-party vendors in securing their systems, and they’re being hunted by Eastern European crime syndicates to go after major multinational companies,” Kellermann said.
Target spokeswoman Molly Snyder said in an email that an "intruder stole a vendor’s credentials which were used to access our system." But she declined to name the vendor or disclose how the credentials were stolen, citing an ongoing investigation.
Fazio Mechanical did not respond to a request for comment, but released a statement last week saying that “like Target, we are a victim of a sophisticated cyber attack operation."
The company said it had remote access to Target’s computer network “for electronic billing, contract submission and project management.”
Companies that provide heating and air conditioning appear to be particularly ripe targets for hackers. Researchers at Qualys, a cloud security company, said they found 55,000 so-called HVAC vendors that are connected to the Internet, and many of them fail to take basic computer security measures.
Krebs reported that Fazio Mechanical may not have realized the phishing attack at first because the company was using a free anti-malware program that “does not offer real-time protection against threats.”