A phishing email carrying a popular dangerous bot was reportedly used to initiate the breach of US Target stores that exposed credit card and personal data of more than 110 million customers.
The email was sent to Fazio Mechanical Services, which had installed heating, ventilation and air conditioning (HVAC) in Target shops, in order to steal log-in credentials used by third parties to access Target's contractor services portal.
Third parties could log into the Ariba billing system to collect payments and also had access to the Partners contract management and the Property Development Zone portals.
KrebsonSecurity reported staff at the contractor activated the highly developed Citadel malware which granted the elusive attackers access to the server in which the Target portal was located.
From there, attackers could have broken into the wider Target network by exploiting administrative credentials that were used to manage Ariba's Active Directory server, a former Target security source told Krebs.
With access to Target servers, the hackers deployed what was thought to be the BlackPoS RAM-scraping malware between November 15 and 28 to steal cleartext payment details while in an unencrypted state.
Security expert Scot Terban said the attack and exploitation cycle was well considered.
"[Attackers] seem to have a sense of hierarchy and military ethos that I can see fits well into a criminal league who use APT (Advanced Persistent Threat) techniques to get into systems, exploit them, and then keep the persistence as long as possible as they exfiltrate their desired data," Terban said.
"That these guys also seem rather blatant about their sites and their actions only seems to be an exceedingly large case of hubris that may eventually get them in trouble."
Valuable metadata stored within public documents designed for Target contractors revealed information useful for planning the attacks including a staff username and a Windows domain name.
Public tools such as Maltego could have helped attackers in what appears to be comprehensive planning and open source intelligence gathering ahead of the Target attack.
"All of this data could well be used to set up phishing campaigns for any and all vendors found in hopes that the criminals would be able to gather access credentials," Terban said.
Contractors were choice victims for attack because they often had access to an organisation's network yet possessed lower security standards.
To make up for this vulnerability, organisations should maintain tight access controls on contractor portals and log and monitor their activities, Melbourne-based director of operations at IPSEC Ben Robson said last week.
"In [the Target] case they needed proper logging, audit trail and packet capture," Robson said. "Organisations need to ... let contractors know in no uncertain terms that they are monitoring them."