|February 6, 2014|
Our Mission--To Educate, Inform, and
Target hackers broke in via...an HVAC company?! Do they
have your passwords and login?
Target hackers first broke into the retailer's system by
using network credentials stolen from Fazio
Mechanical Services, a refrigeration and HVAC
systems provider, sources told security news and
investigation website KrebsonSecurity.com. Last week,
Target said that the initial intrusion into its systems
was traced back to network credentials that were stolen
from a third-party vendor. According to Fazio
Mechanical's website, the company has also has done
refrigeration and HVAC projects for specific Trader
Joe's, Whole Foods and BJ's Wholesale Club locations in
Pennsylvania, Maryland, Ohio, Virginia and West Virginia.
Target Hackers Broke in Via HVAC Company
Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.
Sources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.
Fazio president Ross Fazio confirmed that the U.S. Secret Service visited his company’s offices in connection with the Target investigation, but said he was not present when the visit occurred. Fazio Vice President Daniel Mitsch declined to answer questions about the visit. According to the company’s homepage, Fazio Mechanical also has done refrigeration and HVAC projects for specific Trader Joe’s, Whole Foods and BJ’s Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia and West Virginia.
It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.
“To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software,” the source said. “This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.”
Investigators also shared additional details about the timeline of the breach and how the attackers moved stolen data off of Target’s network.
Sources said that between Nov. 15 and Nov. 28 (Thanksgiving and the day before Black Friday), the attackers succeeded in uploading their card-stealing malicious software to a small number of cash registers within Target stores. Those same sources said the attackers used this time to test that their point-of-sale malware was working as designed.
By the end of the month — just two days later — the intruders had pushed their malware to a majority of Target’s point-of-sale devices, and were actively collecting card records from live customer transactions, investigators told this reporter. Target has said that the breach exposed approximately 40 million debit and credit card accounts between Nov. 27 and Dec. 15, 2013.
That's an 11 day spread between Nov. 15th and Nov. 27th where Target had no idea they were already in.
The data they stole wasn't sent directly to locations in Russia. Instead they used "drop" locations on servers they had hacked. One belonging to a business in Miami and another in Brazil. The U.S. is requesting legal assistance from Brazilian authorities to gain access to the Target data on that server.
Current PCI standards do not require organizations to maintain separate networks for payment and non-payment operations however it does require merchants to incorporate two-factor authentication for remote network access coming from outside the network including vendors for support or maintenance. So will Target be liable for failing to adhere to payment card security standards that can come with hefty fines?
Target may be able to cover some of those costs through a mesh network of business insurance claims. According to a Jan. 19 story at businessinsurance.com, Target has at least $100 million of cyber insurance and $65 million of directors and officers liability coverage. (Source krebsonsecurity.com)
U.S. Secret Service visits refrigeration company in Target probe The U.S. Secret Service visited the office of a Pennsylvania-based refrigeration contractor, Fazio Mechanical Services, in connection with an investigation of the Target Corp consumer data breach, a spokesman for the agency said on Wednesday. Fazio is the largest refrigeration contractor in the Western Pennsylvania region, and Target is one of its clients, according to the Sharpsburg-based company's website. A law enforcement source told Reuters that evidence suggests the hackers stole login credentials from Fazio and may have used the credentials to break into Target's network. The source added, however, that investigators were not sure that this was what happened, and it was possible the hackers used other ways to breach Target's network. Representatives for Fazio could not be reached for comment. (Source chicagotribune.com)
Today's Google search of Fazio Mechanical Services website shows - "Bandwidth Limit Exceeded" The server is temporarily unable to service your request due to the site owner reaching his/her bandwidth limit. Please try again later.
Google search shows Fazio Mechanical Services as Supermarket Refrigeration System Design/ Energy Reduction Are they in your supermarket?
Yesterday's Search Showed the following Screen Shot
Client List - Screen Shot Below