Hackers likely hit Target ‘lottery’ through Sharpsburg firm’s remote link |

Hackers likely hit Target ‘lottery’ through Sharpsburg firm’s remote link

For computer hackers, it’s like playing the Powerball.

Criminals looking to steal credit card records from a major retailer such as Target will play as many angles as they can, blitzing the company’s contractors to find a way inside systems, hacking experts told the Tribune-Review on Friday.

“Really, what attackers are doing is a game of numbers,” said David Brumley, a computer security researcher at Carnegie Mellon University who teaches students to probe companies for security risks. “If they compromise enough individual computers … one of those will have access to their target computer.”

That appears to be what happened when hackers broke into systems at a Sharpsburg heating and ventilation company, Fazio Mechanical Services Inc., experts said. Owner Ross Fazio said the company is the victim of a “sophisticated cyberattack” being investigated by the Secret Service that could be linked to the theft of credit card information from Target.

Molly Snyder, a spokeswoman for the retailer, declined to comment: “As this is an active and ongoing investigation, we don’t have additional details to share at this time.”

It appears intruders used Fazio’s remote access to Target’s internal network to eventually get access to Target’s point-of-sale registers, where they could obtain credit card information, said Nicolas Christin, an electrical and computer engineering professor at Carnegie Mellon.

Fazio said his company had a data connection with Target for electronic billing, contract submission and project management, not to remotely control the heating and cooling system. Founded in Pittsburgh in 1988, the company listed two Target stores in Hilliard, Ohio, and Columbia, Md., among 20 customers on its website. It disabled the page by Friday.

One theory, Christin said, is that the network Fazio used was connected to Target’s payment network with links to its registers. That would have allowed the attackers to go from the one system to the other.

“It is not that big of a leap, if everything is connected, which happens more often than you’d think (for cost-savings and convenience reasons),” Christin said.

Breaking into the contractor’s system can be as simple as bombarding employees with computer viruses by email or dropping USB drives in the parking lot, where a curious employee might pick it up and plug it into a computer to see what’s on it and unleash a virus, Brumley said.

The attackers could have posed as the contractor in order to breach Target’s systems, said Martin Lindner, a principal engineer in the CERT division at the Software Engineering Institute at Carnegie Mellon.

The attackers could have taken their time if no one noticed the intrusion, he added.

“There were probably five other stepping stones that took place before they got to the jewels,” he said.

As with disease outbreaks, forensic computer analysts are looking for “patient zero” — in this case, the first computer infected, Brumley said. From there, they will look for the original source.

“I’m sure this is just one of many avenues they’re exploring,” Brumley said. “Even if they have backtracked it to Russia, that doesn’t mean it originated in Russia. It just means that was as far as they could go.”

Fazio’s IT system and security measures are in compliance with industry practices, the owner said, declining to comment on what he described as an ongoing federal investigation into the technical causes of the breach.

“We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive remedies to enhance the security of client/vendor connections,” he said in a statement.

The Tribune-Review’s ongoing CyberRattling: The Next Threat series has revealed how hackers need to find just one way inside a victim’s computer system, while companies must try to protect every possible gap. A single coding mistake, in the wrong hands, can be an opening to be exploited.

Target has said its customers won’t be responsible for any losses.

First Choice Federal Credit Union of New Castle filed a federal lawsuit against Target last month, seeking reimbursement for canceling and reissuing cards for customers and saying it faces potential exposure for fraudulent charges on customers’ accounts.

Andrew Conte is a Trib Total Media staff writer. Reach him at 412-320-7835 or [email protected].

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.