Target Corporation BlackPOS POS Malware Breach via Fazio Mechanical HVAC Vendor

📅 2013-11-01 🏢 Fazio Mechanical Services (HVAC contractor) / Target vendor portal 🦠 BlackPOS (Kaptoxa) RAM-scraping malware; Citadel malware (on vendor's systems)

Primary Source ↗

Incident Details

Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor…. Sources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services , a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems. Black Kite timeline context: Data breached: Unknown. Use of third party: Unknown. Third-party company: Third-party vendor.

Technical Details

Initial Attack Vector: Attackers stole network credentials from Fazio Mechanical Services — a Pennsylvania HVAC (heating, ventilation, and air conditioning) contractor — by infecting Fazio employee computers with Citadel malware; these credentials provided access to Target's vendor portal, from which attackers pivoted to Target's POS network and installed BlackPOS RAM-scraping malware
Vendor / Product: Fazio Mechanical Services (HVAC contractor) / Target vendor portal
Malware Family: BlackPOS (Kaptoxa) RAM-scraping malware; Citadel malware (on vendor's systems)
Supply Chain Attack: ✅ Confirmed third-party / vendor compromise

Timeline

2013-11-01 Breach occurred
2014-02-09 Publicly disclosed