Here’s How Hackers Stole 110 Million Americans’ Data From Target

It appears to be among the biggest phishing catches of all time.

cybersecurity - hacker with credit card and black mask
National Journal
Dustin Volz
Feb. 12, 2014, 10:02 a.m.

More than 110 mil­lion Tar­get cus­tom­ers had their cred­it-card in­form­a­tion stolen be­cause at least one em­ploy­ee of a heat­ing and air-con­di­tion­ing con­tract­or suc­cumbed to an email phish­ing scheme, cy­ber­se­cur­ity blog­ger Bri­an Krebs re­por­ted Wed­nes­day.

The rev­el­a­tion, if true, is the strongest in­dic­a­tion yet of what went wrong since Krebs first ex­posed the massive heist of con­sumer fin­an­cial data at the na­tion­al re­tail gi­ant late last year, a start­ling cy­ber­at­tack that has promp­ted in­tense con­gres­sion­al in­quiry. Nei­man Mar­cus and oth­er chains have also re­cently been vic­tim­ized, though it is not be­lieved that the per­pet­rat­ors are the same.

Last week, Krebs re­por­ted that hack­ers in­filt­rated Tar­get’s net­work by swip­ing the lo­gin cre­den­tials of Fazio Mech­an­ic­al Ser­vices, a Pennsylvania-based con­tract­or.

Now, an­onym­ous sources tell Krebs that cre­den­tials “were stolen in an email mal­ware at­tack at Fazio that began at least two months be­fore thieves star­ted steal­ing card data from thou­sands of Tar­get cash re­gisters.” It ap­pears that the cul­prits used a pass­word-steal­ing bot known as Cit­adel to get the job done.

Fazio, in re­sponse to its sud­den no­tori­ety last week, sent out a state­ment ex­plain­ing that it had been “the vic­tim of a soph­ist­ic­ated cy­ber­at­tack op­er­a­tion.” But Krebs notes that the com­pany’s de­fense against ma­li­cious at­tacks was a free ver­sion of a some­what im­pot­ent anti-mal­ware pro­gram, which “is made ex­pli­citly for in­di­vidu­al users and its li­cense pro­hib­its cor­por­ate use.”

Mem­bers of Con­gress are call­ing for a bill to cre­ate a na­tion­al re­port­ing stand­ard for data breaches sim­il­ar to the one that hit Tar­get. Re­tail­ers and fin­an­cial in­sti­tu­tions would be re­quired to no­ti­fy gov­ern­ment and con­sumers of breaches when they oc­cur.

The new rev­el­a­tions ar­rive on a day when the White House rolled out a set of vol­un­tary guidelines in­ten­ded to help busi­nesses de­fend them­selves against hack­ers.

What We're Following See More »
Obama Grants 111 More Commutations
7 hours ago

In a release Tuesday afternoon, the White House announced that President Obama has commuted and/or reduced the sentences of another 111 convicted criminals, mostly convicted of drug possession or trafficking. About 35 were serving life sentences.

Grassley Open to Lame Duck Hearings on Garland
8 hours ago

Senate Judiciary Committee Chairman Chuck Grassley (R-IA) said Monday he'd now be willing to hold a hearing on Supreme Court nominee Merrick Garland in a lame-duck session of Congress. While he said he wouldn't push for it, he said if "Hillary Clinton wins the White House, and a majority of senators convinced him to do so," he would soften his previous opposition.

Rubio Can’t Guarantee He’ll Serve a Full Term
10 hours ago

We can call this the anti-Sherman-esque statement: If reelected, Marco Rubio ... might serve his whole term. Or he might not. The senator, who initially said he wouldn't run for a second term this year, now tells CNN that if reelected, he wouldn't necessarily serve all six years. “No one can make that commitment because you don’t know what the future is gonna hold in your life, personally or politically,” he said, before adding that he's prepared to make his Senate seat the last political office he ever holds.

Obama to Raise Multiple Issues in Meeting With Philippines Prez
10 hours ago

Since Rodrigo Duterte took over as president of the Philippines in June, he has made a serious of controversial statements and launched a war on drugs that has led to nearly 2000 deaths. He called the US ambassador to the Philippines, Philip Goldberg, "a gay son of a bitch." Next week, President Obama will meet with President Duterte at the East Asia Summit in Laos, where he " will raise concerns about some of the recent statements from the president of the Philippines," according to White House Deputy National Security advisor Ben Rhodes.

Conservatives Preparing ‘Dry Run’ for Constitutional Convention
10 hours ago

The Convention of States Project, which seeks to force a constitutional convention under Article V of the Constitution, will hold a "dry run" in Colonial Williamsburg starting Sept. 21. "Several states have already followed the process in Article V to endorse the convention." Thirty-four are required to call an actual convention. "The dry run in Williamsburg is meant to show how one would work and focus on the changes and potential constitutional amendments that would be proposed."