Viewing on a mobile device? click here for our mobile version

   
 

February 6, 2014

       

 
   


Target hackers broke in via...an HVAC company?! Do they have your passwords and login?  Target hackers first broke into the retailer's system by using network credentials stolen from Fazio Mechanical Services, a refrigeration and HVAC systems provider, sources told security news and investigation website KrebsonSecurity.com. Last week, Target said that the initial intrusion into its systems was traced back to network credentials that were stolen from a third-party vendor. According to Fazio Mechanical's website, the company has also has done refrigeration and HVAC projects for specific Trader Joe's, Whole Foods and BJ's Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia and West Virginia. (Source cnbc.com)

Target Hackers Broke in Via HVAC Company
Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.

Sources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.

Fazio president Ross Fazio confirmed that the U.S. Secret Service visited his company’s offices in connection with the Target investigation, but said he was not present when the visit occurred. Fazio Vice President Daniel Mitsch declined to answer questions about the visit. According to the company’s homepage, Fazio Mechanical also has done refrigeration and HVAC projects for specific Trader Joe’s, Whole Foods and BJ’s Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia and West Virginia.

It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.

“To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software,” the source said. “This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.”

Investigators also shared additional details about the timeline of the breach and how the attackers moved stolen data off of Target’s network.

Sources said that between Nov. 15 and Nov. 28 (Thanksgiving and the day before Black Friday), the attackers succeeded in uploading their card-stealing malicious software to a small number of cash registers within Target stores. Those same sources said the attackers used this time to test that their point-of-sale malware was working as designed.

By the end of the month — just two days later — the intruders had pushed their malware to a majority of Target’s point-of-sale devices, and were actively collecting card records from live customer transactions, investigators told this reporter. Target has said that the breach exposed approximately 40 million debit and credit card accounts between Nov. 27 and Dec. 15, 2013.

That's an 11 day spread between Nov. 15th and Nov. 27th where Target had no idea they were already in.

The data they stole wasn't sent directly to locations in Russia. Instead they used "drop" locations on servers they had hacked. One belonging to a business in Miami and another in Brazil. The U.S. is requesting legal assistance from Brazilian authorities to gain access to the Target data on that server.

Current PCI standards do not require organizations to maintain separate networks for payment and non-payment operations however it does require merchants to incorporate two-factor authentication for remote network access coming from outside the network including vendors for support or maintenance. So will Target be liable for failing to adhere to payment card security standards that can come with hefty fines?

Target may be able to cover some of those costs through a mesh network of business insurance claims. According to a Jan. 19 story at businessinsurance.com, Target has at least $100 million of cyber insurance and $65 million of directors and officers liability coverage. (Source krebsonsecurity.com)

U.S. Secret Service visits refrigeration company in Target probe
The U.S. Secret Service visited the office of a Pennsylvania-based refrigeration contractor, Fazio Mechanical Services, in connection with an investigation of the Target Corp consumer data breach, a spokesman for the agency said on Wednesday. Fazio is the largest refrigeration contractor in the Western Pennsylvania region, and Target is one of its clients, according to the Sharpsburg-based company's website. A law enforcement source told Reuters that evidence suggests the hackers stole login credentials from Fazio and may have used the credentials to break into Target's network. The source added, however, that investigators were not sure that this was what happened, and it was possible the hackers used other ways to breach Target's network. Representatives for Fazio could not be reached for comment. (Source chicagotribune.com)

Today's Google search of Fazio Mechanical Services website shows - "Bandwidth Limit Exceeded"  The server is temporarily unable to service your request due to the site owner reaching his/her bandwidth limit. Please try again later.

Google search shows Fazio Mechanical Services as Supermarket Refrigeration System Design/ Energy Reduction  Are they in your supermarket?

Yesterday's Search Showed the following Screen Shot

Client List - Screen Shot Below

 

Air Liquide
Aldi, Inc.
Allegheny Cold Storage
American Beverage Corp.
Bilo
BJ's Wholesale Club
Bottom Dollar
Cardinal Health
Central Catholic School
Community Market
Costco
Dairy Farmers Of America
Dave & Busters
Delallo's
Denny's
Dyno Nobel Inc.
East End Co-op
Farmer Jones
Fisher Foods
Food Lion
Get Go
Giant Eagle
Goodwill
Greater Pittsburgh Food Bank
Home City Ice
Island Sports Center
John McGinnis & Co.Kuhn's Market
Marathon - Exxon
Marcegaglia
McCormick & Schmick
Nestle' Usa
O.K. Grocery
Oakland Catholic High School
Parma Sausage Incorporated
Penn Avenue Fish
Pittsburgh Public Schools
Sam's ClubSav A Lot
Shop N Save
Silver Star Meats
Snider Super Foods
Scheider's Dairy
Sparkle Market
Super Valu
Target
The Uncommon Market
Top's Market
Trader Joe's
Trout's Market
U Parc
UPMC - St. Margaret's
Walmart
Whole Foods Market

Today's Special Report is sponsored by
Cam Connections

 

 

 
 

 
 

SUBSCRIBESU  update account      /     FEEDBACK    /      www.downing-downing.com     /     ADVERTISE WITH THE DAILY