The vendor was using the free version of Malwarebytes Anti-Malware to protect its systems

Feb 13, 2014 08:06 GMT  ·  By

More details have surfaced regarding the recent Target breach in which the personal details of as many as 110 million people have been compromised. It appears the attackers gained access to the systems of HVAC company Fazio Mechanical Services by sending them an email that had a piece of malware attached to it.

People involved in the Target breach investigation have told Brian Krebs that the cybercriminals sent out an email that was carrying the information-stealing Trojan Citadel. It’s worth noting that Citadel is the main suspect, but no one has been able to confirm that this piece of malware is the culprit.

Once the malware infected Fazio’s systems, the cybercriminals leveraged it to gain access to Target’s networks via the data connection between the retailer and the vendor.

According to Fazio, the data connection is used for billing, contract submission and project management. While this type of connection shouldn’t have given attackers access to POS terminals, a former member of Target’s security team has a theory on how this may have happened.

For billing, Target uses a system called Ariba. For most internal applications, Target administrators use Active Directory (AD), and it’s possible that they’ve used AD credentials for Ariba’s back end as well. The fact that the AD had been used means that the attackers could somehow gain access to other machines on the corporate network.

In a statement published last week, Fazio claimed that it was in full compliance with industry practices at the time of the attack. However, sources said the company was actually using the free version of Malwarebytes Anti-Malware to protect computers.

Malwarebytes Anti-Malware Free is a good tool, but unlike the Pro variant, it doesn’t offer any real-time protection. Furthermore, the application is for home users, not companies (use by corporation is actually prohibited in the license).

There are two plausible theories. The attackers might have targeted Fazio at random and at some point realized that the company could give them access to Target’s systems.

Another plausible scenario is that the cybercriminals gathered publicly available data from Target’s website to find a firm they could use as an attack vector.