Report: Phishing email started Target data breach

Rows of carts await customers at a Target store in Chicago in 2012. M. Spencer Green/AP

You’ve, no doubt, been the recipient of phishing emails, those emails that are designed to look like a legitimate bank or company request for private information. Most of them are so sloppily put together and are so obviously fraudulent that you’d have to be a fool to fall for it.

But it only takes one.

And that, Brian Krebs writes on his blog today, is how the huge hack of Target started.

Krebs, who has been miles ahead of anyone else on getting to the bottom of the attack, says an HVAC vendor in Pennsylvania wasn’t putting up much of a fight against email malware. It was using a free version Malwarebytes Anti-Malware, which doesn’t offer real-time protection.

Krebs also reports today that the hackers started two months before the actual break-in to Target’s servers, by sending the email threats to Target’s suppliers:

Many readers have questioned why the attackers would have picked on an HVAC firm as a conduit for hacking Target. The answer is that they probably didn’t, at least at first. Many of these email malware attacks start with shotgun attacks that blast out email far and wide; only after the attackers have had time to comb through the victim list for interesting targets do they begin to separate the wheat from the chaff.

But Target may have inadvertently made it easier for the attackers in this case, in part by leaving massive amounts of internal documentation for vendors on its various public-facing Web properties that do not require a login. Indeed, many of these documents would be a potential gold mine of information for an attacker.

Here’s an example that just happens to be somewhat specific to HVAC vendors: A simple Google search turns up Target’s Supplier Portal, which includes a wealth of information for new and existing vendors and suppliers about how to interact with the company, submit invoices, etc. That page leads to a separate page of information on Target Facilities Management, which includes a slew of instructions on submitting work orders. That page also includes a link to another set of resources: A Supplier Downloads page that, oddly enough, is little more than a long list of resources for HVAC & refrigeration companies.

With that information, Krebs says, hackers could’ve put together a layout of Target’s Windows domains on Target’s servers.

He also says the breach probably occurred at Target’s Brooklyn Park technology center.

It was, of course, a brazen, complicated, costly attack. But it appears it couldn’t have happened without somebody opening a single phony email.