The breach at Target that exposed payment card data and personal details for as many as 110 million of its customers may have begun with a simple malware-laced phishing e-mail sent to a refrigeration contractor that worked for the retailer, according to a report published Wednesday by KrebsOnSecurity.
The article builds off details unearthed last week by the same publication. Reporter Brian Krebs wrote that the hackers who penetrated Target's corporate network gained entry using authentication credentials stolen from a heating, ventilation, and air-conditioning (HVAC) subcontractor that did work for a variety of large retailers. The HVAC firm, Fazio Mechanical located in Sharpsburg, Pennsylvania, later issued a statement saying its data connection to Target's network was solely for purposes of electronic billing, contract submission, and project management.
Citing multiple people familiar with the ongoing investigation, Krebs said Wednesday that the Target credentials were obtained using an e-mail malware attack that began about two months before thieves began siphoning data for 40 million payment cards from Target's network-connected cash registers. Two of the sources said the malware was the Citadel password stealing program, but that detail hasn't been confirmed. Krebs went on to raise the possibility that the people who compromised the HVAC firm may not have done so with the intent of hacking Target and carrying out one of the largest data thefts in history. He also said that documentation that Target left in plain view on its website may have made the subsequent attack much easier to carry out. Krebs explained: