The untold story of the Target data breach

Target's (NYSE:TGT) data breach is among the largest to date and has impacted the retailer far beyond the event's scope and moment in time.

The breach impacted the credit card information of 40 million Target shoppers and the personal data of up to 70 million additional customers. It hit at the advent of the all-important holiday shopping season and cost the retailer $148 million to date.

Target identified the point of entry, a third party vendor, specifically a heating and air conditioning sub-contractor, but there were still unanswered questions that a new report from security provider Aorato attempts to answer.

First, there is what is known.

The infiltrators gained access through stolen HVAC vendor credentials, which were then used to access Target's hosted Web services. Malware was used to steal credit card information from Target's POS terminals and the card numbers were sent to a central repository within Target's network using standard Windows protocols and that data was extracted by the hackers.

What is not known, according to the report, The Untold Story of the Target Attack, Step by Step,  is how the attackers were able to get from the initial point on the boundary of Target's network to deploying malware at its heart. Or, how the personal identifiable information of 70 million Target shoppers was compromised.

After studying various sources, Aorato uncovered several new pieces of information regarding Target's data breach.  

The attackers disguised malicious components as legitimate PHP files and uploaded the files to infiltrate internal systems. They were persistent and were basically hiding in plain sight.

Now the attackers needed proper privileges to access the identified targets, and did so by gaining Domain Admin privileges by using a Pass-the-Hash attack: impersonating a valid user then reusing that assigned token. From there, bogus accounts were created to keep things going.

As for the personal identifiable information stolen from 70 million accounts, Aorato points to PCI compliance as having reduced the incidence of stolen credit card information by more than half. There were a total of 70 million accounts found in Target's system, but cybercriminals only managed to access the credit card information of 40 million of those accounts, thanks to Target being PCI compliant.

Retailers are busily implementing EMV technology to help guard against these types of attacks, but most are not yet compliant and attacks are expected to escalate as we head into the holiday season and near the EMV deadline in 2015.

"The window from the attackers' perspective is closing so they have greater motivation to attack before this change," said Tal Be'ery, VP of research at Aorato, and author of this report. "Retailers should focus on access control."

The attackers took their time and paid frequent visits. Paying attention will go a long way toward prevention. Target admittedly did not act on warnings and could have stopped the attack much sooner than it did.

"Retailers should monitor user lists and see if there are new additions with access permission," said Be'ery. "And monitor the active directory access to see if some station is massively querying. This type of breach has a very loud signature."

For more:
-See this Aorato report

Related stories:
Backoff malware widespread, PCI Council issues call to action
Target pledges to work more like a start up 
Supervalu reports data breach
Target and PF Chang's breaches 'the tip of the iceberg'
PF Chang's issues security update