We will take a look at the breeching incident that happened
to target between November 27 and December 2013. It so happens that this is the
second biggest credit card theft incident to occur. About 40 million debit and
credit card information where stolen and 70 million personal information. The
target breeching incident can be put into five phases.
Phase One: The initial Infection of Malware
unknown if all of Target’s third-party vendor were targeted in this breach.
However, an HVAC company by the name of Fazio Mechanical was breach because of
their poor security practices. It is believed that one of the employee was a victim
of a successful phishing attempt by the attackers. Many of the anti-malware software
that is on the market today could have alerted to the malware that was
installed in the network. However, Fazio Mechanical was using free anti-malware
software that did not provide real time data. Fazio Mechanical has access to
the business section of target network where the point of sale system is
Phase Two: The infection of the point of sale system
had a poor security where they did not segregate the network. Since Fazio
Mechanical had access to business side of Target’s network the attacker where
able to locate the sensitive data that they where after. The attackers installed
there point of sale malware onto targets network and began their testing of the
malware. The point of sale malware that the attacker used was called BlackPOS.
Phase Three: The collection of credit data
malware act like a RAM scraper. It scans the memory in search of pain-text
credit card information on the point of sales systems. It looks for the card numbers
as the are swiped at the point of sale.
Phase Four: Moving the data
where able to take over three of Target FTP servers which they created their
own back doors to access them. They were careful when choosing usernames and
password so that it did not look suspicious to the network admins. Once the
malware gathered the data it would then encrypt it and send it to compromise
computers. The end goal was to get the data to drop sites in Brazil and Miami.
Phase Five: Making money
attacker collected a total of 11 GB worth of data that they where trying to
sell on the black market. It is known that they where on sale on the black
market because they identified as the credit cards stolen from the Target
of the incident:
September 2013: Attackers compromised Fazio
Mechanical network via a successful phishing attempt. The malware waiting
around until Fazio Mechanical login into Target network via their own
November 15: Now with Fazio Mechanical
credentials the attackers where able to gain access to Target network and began
their test on the POS machines.
November 27: The attacker now began their
mission of collecting data off the POS systems.
November 30: The attacker’s POS malware
was now fully installed into the network, they also installed exfiltration malware.
December 2: The attacker started to move
the information they had gathered out.
December 12: It was not until the DOJ informed
Target about the breach did Target on people go and investigate what happened.
December 15: Target was able to remove
most the malware.
of malware used in the attack:
Citadel Trojan: The trojan was installed
onto the computers of Fazio Mechanical due to a successful phishing attempt. What
citadel does is captures keystrokes and takes screenshots of the screen. The
point of this malware is to obtain login information. According an article on SecurityIntelligence.com
written by Chris Poulin, “While many anti-malware solutions will identify Zeus
and Citadel, the 3rd party had deployed Malwarebytes free edition, which
doesn’t offer real-time protection” (Chris Poulin).
BlackPOS: This type of malware is
installed on to the point of sale systems to look for credit card data. This type
of malware is also known as RAM scraping.
Target had good anti-malware software
that was installed in their network. However, one of the important feature was
turned off that would automatically take care of the malware without the
interaction of the human being. Target had spent about 1.6 million dollars on a
anti-malware software called FireEye. This software actually caught the malware
and issued an alert to the administrators on November 30.
question become, how did the attackers gain access to target point of sales system
to be able to access all their information. It was not known for awhile how the
attackers got in to the system but many people where theorizing that the
attackers got into the network vie a third-party vendor. However, Target did
come clean with stating to reporters that a third-party vendors network
credential had been stolen. Many people have the question on why a third-party
vendor like a HVAC company would need access to Target network. According to
source that krebsonsecurity found states that, “it is common for large retail
operations to have a team that routinely monitors energy consumption and
temperatures in stores to save on costs (particularly at night) and to alert
store managers if temperatures in the stores fluctuate outside of an acceptable
range that could prevent customers from shopping at the store” (krebs). Giving
a third-party vendor access to your network allows for them to update patches
or trouble shooting from there location. Thus, it saves money overall because they
can remote in and not have to be in the premise.
However, the question becomes why did
the third-party vendor have a stronger network. How many vendors does Target give
network credentials to? It is unknown how many vendors the attacker tried to
hack. However, in this case it only took one vendor to give them access to
Targets network. The unfortunate vendor that this happened to was Fazio
Mechanical, which was a refrigeration company that Target used. It seems that Fazio
Mechanical did not have good security practice or a security awareness program
in place, because it took one employee to open a phishing email. Citadel installed
itself into the computer at Fazio Mechanical waiting for the logon credential into
Target. According to Jerome Segura, “Citadel is an offspring of the (too)
popular Zeus crimekit whose main goal is to steal banking credentials by
capturing keystrokes and taking screenshots/videos of victims’ computers”
(Malwarebytes). This issue of phishing emails illustrates the importance
for employee to have the training to be able to identify what a phishing attempt
looks like. According to an article on ZDNet, “At the time of the breach, all
major versions of enterprise anti-malware detected the Citadel malware.
Unsubstantiated sources mentioned Fazio used the free version of Malwarebytes
anti-malware, which offered no real-time protection being an on-demand scanner.
(Note: Malwarebytes anti-malware is highly regarded by experts when used in the
correct manner.)” (Michael Kassner). Fazio Mechanical did have anti-malware
installed but according to the article they may not have been using it correctly.
This illustrates the importance for retailers like Target to ensure that their
third-party vendors that have access to their network have a good anti-malware
software in place.
Affect on the company:
themselves did not lose any information as the attackers where after the information
of credit cards. However, Target image is now tarnished because of the event that
transpired. I knew Chief Information Officer was selected because of the breach.
It said that Target spent more than 100 million dollars to switch to a new
secure chip and PIN system. They are main leader when it comes to all the major
retailers switching to the new type of system. The breach had serious ramification
to the company’s earning. There fourth quarter profits for that year where down
46 percent when compared to profits of the year before. These drop-in earnings
is all thanks to the breach by the attacker kept some customer away from the
store. Meaning that Target was selling less merchandise as their traffic to their
websites and store where down. It is said that Target had spent close to 61
million dollars in expenses related to the hack. They have also been hit with over
90 lawsuits that relate to the breaching incident. Gregg Steinhafel who was the
formal CEO of Target resigned.
has felt the damages from the attack. However, it is the 40 million customers who’s
credit cards where stolen that feel the most pain. They are the ones that must deactivate
their credit cards and order new one. Also, if they use several different cards
whiling shopping at target then they need to deactivate all of them.
The things that I would implement are:
Targets Network Segregation:
know Target did not have proper network segregation, because if they had it the
attacker would not have been able to gain access to the point of sale system that
is found in Targets business side of the network. To address this issue, I
would advise that Target segregate their network keeping a portion of the
network that pertains to sensitive data out of reach. Had Target had proper
segregation of non-sensitive and sensitive data the attacker would not have
been able to access the point of sale systems.
Third-Party Vendor Access
would suggest the vendor that have access to the Network have endpoint
protection. Meaning that they should have a robust anti-malware and Target should
conduct regular audit on their third-party vendor’s IT security systems. As we
know Fazio Mechanical had a free version of Malwarebytes that did not provide
the protection need in prevent the malware from installing. Implement a
verification system that authenticate the vendor who access the system.
Security Awareness Program
Implement a security awareness program where all the third-party vendor with
access to the network must be trained through. In the program I would have all
the end-user know what an attack may look like. I would focus on what social engineer
attack may look like. Also, I would have policies in place that vendors must