Hackers likely hit Target ‘lottery’ through Sharpsburg firm’s remote link
For computer hackers, it’s like playing the Powerball.
Criminals looking to steal credit card records from a major retailer such as Target will play as many angles as they can, blitzing the company’s contractors to find a way inside systems, hacking experts told the Tribune-Review on Friday.
“Really, what attackers are doing is a game of numbers,” said David Brumley, a computer security researcher at Carnegie Mellon University who teaches students to probe companies for security risks. “If they compromise enough individual computers … one of those will have access to their target computer.”
That appears to be what happened when hackers broke into systems at a Sharpsburg heating and ventilation company, Fazio Mechanical Services Inc., experts said. Owner Ross Fazio said the company is the victim of a “sophisticated cyberattack” being investigated by the Secret Service that could be linked to the theft of credit card information from Target.
Molly Snyder, a spokeswoman for the retailer, declined to comment: “As this is an active and ongoing investigation, we don’t have additional details to share at this time.”
It appears intruders used Fazio’s remote access to Target’s internal network to eventually get access to Target’s point-of-sale registers, where they could obtain credit card information, said Nicolas Christin, an electrical and computer engineering professor at Carnegie Mellon.
Fazio said his company had a data connection with Target for electronic billing, contract submission and project management, not to remotely control the heating and cooling system. Founded in Pittsburgh in 1988, the company listed two Target stores in Hilliard, Ohio, and Columbia, Md., among 20 customers on its website. It disabled the page by Friday.
One theory, Christin said, is that the network Fazio used was connected to Target’s payment network with links to its registers. That would have allowed the attackers to go from the one system to the other.
“It is not that big of a leap, if everything is connected, which happens more often than you’d think (for cost-savings and convenience reasons),” Christin said.
Breaking into the contractor’s system can be as simple as bombarding employees with computer viruses by email or dropping USB drives in the parking lot, where a curious employee might pick it up and plug it into a computer to see what’s on it and unleash a virus, Brumley said.
The attackers could have posed as the contractor in order to breach Target’s systems, said Martin Lindner, a principal engineer in the CERT division at the Software Engineering Institute at Carnegie Mellon.
The attackers could have taken their time if no one noticed the intrusion, he added.
“There were probably five other stepping stones that took place before they got to the jewels,” he said.
As with disease outbreaks, forensic computer analysts are looking for “patient zero” — in this case, the first computer infected, Brumley said. From there, they will look for the original source.
“I’m sure this is just one of many avenues they’re exploring,” Brumley said. “Even if they have backtracked it to Russia, that doesn’t mean it originated in Russia. It just means that was as far as they could go.”
Fazio’s IT system and security measures are in compliance with industry practices, the owner said, declining to comment on what he described as an ongoing federal investigation into the technical causes of the breach.
“We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive remedies to enhance the security of client/vendor connections,” he said in a statement.
The Tribune-Review’s ongoing CyberRattling: The Next Threat series has revealed how hackers need to find just one way inside a victim’s computer system, while companies must try to protect every possible gap. A single coding mistake, in the wrong hands, can be an opening to be exploited.
Target has said its customers won’t be responsible for any losses.
First Choice Federal Credit Union of New Castle filed a federal lawsuit against Target last month, seeking reimbursement for canceling and reissuing cards for customers and saying it faces potential exposure for fraudulent charges on customers’ accounts.
Andrew Conte is a Trib Total Media staff writer. Reach him at 412-320-7835 or [email protected].