Intrepid security investigator Brian Krebs has reported that sources close to the Target investigation have discovered… “exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer“.
Last week, KrebsOnSecurity reported that investigators believe the source of the Target intrusion traces back to network credentials which Target had issued to Fazio Mechanical, a heating, air conditioning and refrigeration firm in Sharpsburg, Pa. Investigators have now discovered that Fazio Mechanical’s primary method of detecting malicious software on its internal systems was the free version of Malwarebytes Anti-Malware, which, of course, does not include any sort of real time protection.
There is no question that, like Target, Fazio Mechanical was the victim of cybercrime. But investigators close to the case took issue with Fazio’s claim that it was in full compliance with industry practices, and offered another explanation of why it took the Fazio so long to detect the email malware infection: The company’s primary method of detecting malicious software on its internal systems was the free version of Malwarebytes Anti-Malware.
I wonder when these companies are going to start taking the security of consumer information seriously? Hopefully, any punitive measures handed down at the end of this investigation will be of a serious enough nature to make other companies sit up and take notice.
- Brian’s enlightening report goes into a lot more detail, you can read it in full here: Email Attack on Vendor Set Up Breach at Target