Target hackers broke in via...an HVAC company?! Do they have your passwords and
login? Target hackers first broke into the retailer's system by
using network credentials stolen from Fazio Mechanical Services, a
refrigeration and HVAC systems provider, sources told security news and
investigation website KrebsonSecurity.com. Last week, Target said that the
initial intrusion into its systems was traced back to network credentials that
were stolen from a third-party vendor. According to Fazio Mechanical's website,
the company has also has done refrigeration and HVAC projects for specific
Trader Joe's, Whole Foods and BJ's Wholesale Club locations in Pennsylvania,
Maryland, Ohio, Virginia and West Virginia. (Source
Target Hackers Broke in Via HVAC Company
Sources now tell KrebsOnSecurity that the vendor in question was a
refrigeration, heating and air conditioning subcontractor that has worked at a
number of locations at Target and other top retailers.
Sources close to the investigation said the attackers first broke into the
retailer’s network on Nov. 15, 2013 using network credentials stolen from
Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration
and HVAC systems.
Fazio president Ross Fazio confirmed that the U.S. Secret Service visited his
company’s offices in connection with the Target investigation, but said he was
not present when the visit occurred. Fazio Vice President Daniel Mitsch declined
to answer questions about the visit. According to the company’s homepage, Fazio
Mechanical also has done refrigeration and HVAC projects for specific Trader
Joe’s, Whole Foods and BJ’s Wholesale Club locations in Pennsylvania, Maryland,
Ohio, Virginia and West Virginia.
It’s not immediately clear why Target would have given an HVAC company external
network access, or why that access would not be cordoned off from Target’s
payment system network. But according to a cybersecurity expert at a large
retailer who asked not to be named because he did not have permission to speak
on the record, it is common for large retail operations to have a team that
routinely monitors energy consumption and temperatures in stores to save on
costs (particularly at night) and to alert store managers if temperatures in
the stores fluctuate outside of an acceptable range that could prevent customers
from shopping at the store.
“To support this solution, vendors need to be able to remote into the system
in order to do maintenance (updates, patches, etc.) or to troubleshoot
glitches and connectivity issues with the software,” the source said. “This
feeds into the topic of cost savings, with so many solutions in a given
organization. And to save on head count, it is sometimes beneficial to allow a
vendor to support versus train or hire extra people.”
Investigators also shared additional details about the timeline of the breach
and how the attackers moved stolen data off of Target’s network.
Sources said that between Nov. 15 and Nov. 28 (Thanksgiving and the day
before Black Friday), the attackers succeeded in uploading their card-stealing
malicious software to a small number of cash registers within Target stores.
Those same sources said the attackers used this time to test that their
point-of-sale malware was working as designed.
By the end of the month — just two days later — the intruders had pushed their
malware to a majority of Target’s point-of-sale devices, and were actively
collecting card records from live customer transactions, investigators told this
reporter. Target has said that the breach exposed approximately 40 million
debit and credit card accounts between Nov. 27 and Dec. 15, 2013.
That's an 11 day spread between Nov. 15th and Nov. 27th where Target had no
idea they were already in.
The data they stole wasn't sent directly to locations in Russia. Instead they
used "drop" locations on servers they had hacked. One belonging to a business in
Miami and another in Brazil. The U.S. is requesting legal assistance from
Brazilian authorities to gain access to the Target data on that server.
Current PCI standards do not require organizations to maintain separate networks
for payment and non-payment operations however it does require merchants to
incorporate two-factor authentication for remote network access coming from
outside the network including vendors for support or maintenance. So will
Target be liable for failing to adhere to payment card security standards that
can come with hefty fines?
Target may be able to cover some of those costs through a mesh network of
business insurance claims. According to a
Jan. 19 story at businessinsurance.com, Target has at least $100 million of
cyber insurance and $65 million of directors and officers liability coverage.
U.S. Secret Service visits refrigeration company in Target probe
The U.S. Secret Service visited the office of a Pennsylvania-based refrigeration
contractor, Fazio Mechanical Services, in connection with an investigation of
the Target Corp consumer data breach, a spokesman for the agency said on
Wednesday. Fazio is the largest refrigeration contractor in the Western
Pennsylvania region, and Target is one of its clients, according to the
Sharpsburg-based company's website. A law enforcement source told Reuters that
evidence suggests the hackers stole login credentials from Fazio and may have
used the credentials to break into Target's network. The source added, however,
that investigators were not sure that this was what happened, and it was
possible the hackers used other ways to breach Target's network. Representatives
for Fazio could not be reached for comment. (Source
Today's Google search of Fazio Mechanical Services website shows - "Bandwidth
Limit Exceeded" The server is temporarily unable to service your
request due to the site owner reaching his/her bandwidth limit. Please try again
Google search shows Fazio Mechanical Services as Supermarket Refrigeration
System Design/ Energy Reduction Are they in your supermarket?
Yesterday's Search Showed the following Screen
Client List - Screen Shot Below
Allegheny Cold Storage
American Beverage Corp.
BJ's Wholesale Club
Central Catholic School
Dairy Farmers Of America
Dave & Busters
Dyno Nobel Inc.
East End Co-op
Greater Pittsburgh Food Bank
Home City Ice
Island Sports Center
John McGinnis & Co.Kuhn's Market
Marathon - Exxon
McCormick & Schmick
Oakland Catholic High School
Parma Sausage Incorporated
|Penn Avenue Fish
Pittsburgh Public Schools
Sam's ClubSav A Lot
Shop N Save
Silver Star Meats
Snider Super Foods
The Uncommon Market
UPMC - St. Margaret's
Whole Foods Market
Today's Special Report is sponsored by