Custom Search

Cybersecurity: Online Breaches

Specific Targets

Attacking specific targets

In December 2013, the American retailer Target announced that hackers had stolen data belonging to 40 million customers. The attack had begun in late November and continued for several weeks before it was detected. By then it had compromised more than 110 million accounts, including unencrypted credit and debit card information as well as encrypted PIN data.

By February 2014, American banks had replaced more than 17 million credit and debit cards at a cost of more than $172 million. The amount of fraud linked to the attack is unknown, as is the damage to Target’s reputation.

Target was not the first major retailer to be hit by hackers, but this attack was different from most; the weakness that allowed the attackers into the Target computers lay outside of the company. The hackers had gained access through computers belonging to one of Target’s heating, ventilation and air conditioning services (HVAC) contractors. Like many large organisations, Target allows other companies to access its internal networks, to submit bills and exchange contracts.

The hack appears to have begun when an employee of the HVAC company received an email from one of their trusted partners. In fact, the email was fake and contained malicious software. Unlike traditional spam email, this message had been targeted at a very specific audience – the HVAC company. It was what is known as ’spear phishing’.

Once the email had been opened, the hidden software went to work and retrieved the HVAC company’s Target network authorisations, allowing them to log on to their real objective. In an ideal system, the HVAC company’s authorisations should have restricted them to a network responsible solely for billing and contracts, but, like a lot of big organisations, Target used a single network for all of its data, allowing the attackers to eventually locate, and steal, customer data.

The Target attack is an example of an advanced persistent threat. Rather than attempting to attack the retailer directly, the hackers had chosen an external company which was much less likely to have the resources to detect and defend against an attack. Their spear phishing email was directly targeted at the contractor, lulling them into a false sense of security and allowing the malware to retrieve the logon credentials needed to attack Target itself.

In 2017, Target had to pay a settlement of $18,500,000 and agree to make the following changes to significantly improve its security.

  • Develop and maintain a comprehensive information security program
  • Maintain software and encryption programs to safeguard people’s personal information
  • Separate its cardholder data from the rest of its computer network
  • Rigorously control who has access to the network
  • Regularly bring in an independent and well-qualified third party to conduct regular, comprehensive security assessments of its security measures.
  • Hire an executive officer to run its new security program and serve as a security advisor to the CEO and the board of directors.

You don’t need to be a huge company to be specifically targeted by criminal hackers

An employee responsible for handling the company finances knew that a meeting to finalise the acquisition of another company was in progress. He received the email: ‘Hey, the deal is done. Please wire $8m to this account to finalise the acquisition ASAP. Needs to be done before the end of the day. Thanks.’ The employee thought nothing of it and sent the funds over, ticking it off his list of jobs before heading home. But alarm bells started to ring when the company that was being acquired called to ask why it had not received the money. An investigation began - $8m was most definitely sent, but where to?

The criminal hacker clearly new of the meeting in progress. Most likely by intercepting emails over several days or weeks to look for an opportunity for an attack. For the rest of the report see https://www.bbc.co.uk/ news/ technology-49857948  

Even private individuals have been attacked in this way – again the most likely method of attack is by intercepting emails. Perhaps by sitting in a car outside the victims house and snooping on the data transmitted through home router wireless networks (WiFi) that have not been password protected, or perhaps by snooping the WiFi traffic of a local tradesman or estate agent, waiting for emails that show that an invoice is about to be sent. The hacker then sends an identical invoice, but with a different account to receive the payment.