It’s the signature move of a smart hacker; use one vulnerable point of entry on an interconnected system, then go after your real target. Now it seems one unfortunate HVAC maintenance man was used as the hacker’s pawn in the Target data breach scam.
Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems, was given access to a Target database so the company could remotely login and perform efficiency updates. After stealing one Fazio worker’s credentials, the hackers used this digital pathway to insert the destructive malware, reported security blogger Brian Krebs.
Target said last week their ongoing investigation into the breach revealed a “third party vendor” was used to gain access, which is a standard move for hackers, David Kennedy, TRUSTEDSEC founder and security consultant, told TheBlaze. When multiple systems are linked, like a heating and air conditioning system and a credit card processing system, as long as a hacker can access a single point in the network, they can likely reach all the interconnected data.
“There is a data hub that handles all of those interconnections, and hackers can ride the trusted connections and pivot to other systems – it’s a very common practice,” Kennedy added.
Avivah Litan, a fraud analyst with Gartner Inc., said although current Payment Card Industry standards do not require organizations to maintain separate networks for payment and non-payment operations, it does require merchants to incorporate two-factor authentication for remote network access originating from outside the network by personnel and all third parties — including vendor access for support or maintenance, reports Krebs.
However, the Target system used by HVAC vendor did not have two-factor authentication.
Sources said that between Nov. 15 and Nov. 28 (Thanksgiving and the day before Black Friday), the attackers succeeded in uploading their card-stealing malicious software to a small number of cash registers within Target stores.
Those same sources said the attackers used this time to test that their point-of-sale malware was working as designed.
By the end of the month — just two days later — the intruders had pushed their malware to a majority of Target’s point-of-sale devices, and were actively collecting card records from live customer transactions, investigators told this reporter. Target has said that the breach exposed approximately 40 million debit and credit card accounts between Nov. 27 and Dec. 15, 2013.
So why give access to any third party vendors if malware can be inserted so easily? Krebs reported that Target, not unlike many organizations that have to heat and cool a large facility, allow vendors to remote into the system to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software. And rather than having one technical specialist per store, giving remote access allows one person to monitor several systems in multiple stores.
It’s a cost saving decision that may end up costing Target hundreds of millions of dollars in bank reimbursements, fines, legal fees, and customer service costs.
Follow Elizabeth Kreft (@elizabethakreft) on Twitter.