Here’s How Hackers Stole 110 Million Americans’ Data From Target

It appears to be among the biggest phishing catches of all time.

cybersecurity - hacker with credit card and black mask
National Journal
Dustin Volz
Feb. 12, 2014, 10:02 a.m.

More than 110 mil­lion Tar­get cus­tom­ers had their cred­it-card in­form­a­tion stolen be­cause at least one em­ploy­ee of a heat­ing and air-con­di­tion­ing con­tract­or suc­cumbed to an email phish­ing scheme, cy­ber­se­cur­ity blog­ger Bri­an Krebs re­por­ted Wed­nes­day.

The rev­el­a­tion, if true, is the strongest in­dic­a­tion yet of what went wrong since Krebs first ex­posed the massive heist of con­sumer fin­an­cial data at the na­tion­al re­tail gi­ant late last year, a start­ling cy­ber­at­tack that has promp­ted in­tense con­gres­sion­al in­quiry. Nei­man Mar­cus and oth­er chains have also re­cently been vic­tim­ized, though it is not be­lieved that the per­pet­rat­ors are the same.

Last week, Krebs re­por­ted that hack­ers in­filt­rated Tar­get’s net­work by swip­ing the lo­gin cre­den­tials of Fazio Mech­an­ic­al Ser­vices, a Pennsylvania-based con­tract­or.

Now, an­onym­ous sources tell Krebs that cre­den­tials “were stolen in an email mal­ware at­tack at Fazio that began at least two months be­fore thieves star­ted steal­ing card data from thou­sands of Tar­get cash re­gisters.” It ap­pears that the cul­prits used a pass­word-steal­ing bot known as Cit­adel to get the job done.

Fazio, in re­sponse to its sud­den no­tori­ety last week, sent out a state­ment ex­plain­ing that it had been “the vic­tim of a soph­ist­ic­ated cy­ber­at­tack op­er­a­tion.” But Krebs notes that the com­pany’s de­fense against ma­li­cious at­tacks was a free ver­sion of a some­what im­pot­ent anti-mal­ware pro­gram, which “is made ex­pli­citly for in­di­vidu­al users and its li­cense pro­hib­its cor­por­ate use.”

Mem­bers of Con­gress are call­ing for a bill to cre­ate a na­tion­al re­port­ing stand­ard for data breaches sim­il­ar to the one that hit Tar­get. Re­tail­ers and fin­an­cial in­sti­tu­tions would be re­quired to no­ti­fy gov­ern­ment and con­sumers of breaches when they oc­cur.

The new rev­el­a­tions ar­rive on a day when the White House rolled out a set of vol­un­tary guidelines in­ten­ded to help busi­nesses de­fend them­selves against hack­ers.

What We're Following See More »
WORDS AND PICTURES
White House Looks Back on bin Laden Mission
10 hours ago
WHY WE CARE
NO BATTLE OVER SEATTLE
SCOTUS Won’t Hear Appeal of Minimum-Wage Law
11 hours ago
THE DETAILS

"The U.S. Supreme Court on Monday rejected a sweeping constitutional challenge to Seattle’s minimum wage law, in what could have been a test case for future legal attacks on similar measures across the country. In a one-line order, the justices declined to hear a case by the International Franchise Association and a group of Seattle franchisees, which had said in court papers that the city’s gradual wage increase to $15 discriminates against them in a way that violates the Constitution’s commerce clause."

Source:
DOWN TO THE WIRE
Sanders Looks to Right the Ship in Indiana
12 hours ago
THE LATEST

Hillary Clinton may have the Democratic nomination sewn up, but Bernie Sanders apparently isn't buying it. Buoyed by a poll showing them in a "virtual tie," Sanders is "holding three rallies on the final day before the state primary and hoping to pull off a win after a tough week of election losses and campaign layoffs." 

Source:
‘SPOOKED’ IN NORTH DAKOTA
Cruz Delegates Having Second Thoughts?
16 hours ago
THE LATEST

As unbound delegates pledged to Ted Cruz watch him "struggle to tread water in a primary increasingly dominated by Trump, many of them, wary of a bitter convention battle that could rend the party at its seams, are rethinking their commitment to the Texas senator."

Source:
MORE PRESSURE ON CONGRESS TO ACT
Puerto Rico to Default on Payment Today
16 hours ago
THE LATEST

"The confrontation between debt-swamped Puerto Rico and its creditors is intensifying as the U.S. territory will default on payments due Monday, deepening the island's financial crisis and placing additional pressure on Congress to intervene." The amount of the default is estimated at $422 million.

Source:
×