The Target breach was made possible by a refrigeration, heating and air conditioning subcontractor who worked at several branches.
After it was revealed that the initial intrusion was made possible by the use of network credentials that were stolen from a third party vendor, security blogger Brian Krebs revealed that the attackers first broke into the retailer’s network on November 15th 2013 using network credentials stolen from Fazio Mechanical Services, a Pennsylvania provider of refrigeration and HVAC systems.
According to investigators, the intrusion occurred between November 15 and 18th, Thanksgiving and the day before Black Friday. The attackers succeeded in uploading their card-stealing malware to a small number of cash registers within Target stores. This time was also used to test the point-of-sale malware, according to sources.
By the end of the month — just two days later — the intruders had pushed their malware to a majority of Target’s point-of-sale devices and were actively collecting card records from live customer transactions.
Fazio Mechanical Services did not issue a comment, and at the time of writing the website is inaccessible. Fazio Mechanical Services president Ross Fazio did confirm that the US secret service had visited his company.
Target spokeswoman Molly Snyder said the company had no additional information to share, citing a “very active and ongoing investigation.”
John Bumgarner, CTO at US Cyber Consequences Unit, said via his Twitter account that based on Fazio’s website, they only installed systems at two Target stores in Hilliard, Ohio and Columbia, Maryland.