| News

Larger text Larger text Smaller text Smaller text | Order Photo Reprints

Hackers likely hit Target 'lottery' through Sharpsburg firm's remote link

Daily Photo Galleries

Friday, Feb. 7, 2014, 4:42 p.m.

For computer hackers, it's like playing the Powerball.

Criminals looking to steal credit card records from a major retailer such as Target will play as many angles as they can, blitzing the company's contractors to find a way inside systems, hacking experts told the Tribune-Review on Friday.

“Really, what attackers are doing is a game of numbers,” said David Brumley, a computer security researcher at Carnegie Mellon University who teaches students to probe companies for security risks. “If they compromise enough individual computers ... one of those will have access to their target computer.”

That appears to be what happened when hackers broke into systems at a Sharpsburg heating and ventilation company, Fazio Mechanical Services Inc., experts said. Owner Ross Fazio said the company is the victim of a “sophisticated cyberattack” being investigated by the Secret Service that could be linked to the theft of credit card information from Target.

Molly Snyder, a spokeswoman for the retailer, declined to comment: “As this is an active and ongoing investigation, we don't have additional details to share at this time.”

It appears intruders used Fazio's remote access to Target's internal network to eventually get access to Target's point-of-sale registers, where they could obtain credit card information, said Nicolas Christin, an electrical and computer engineering professor at Carnegie Mellon.

Fazio said his company had a data connection with Target for electronic billing, contract submission and project management, not to remotely control the heating and cooling system. Founded in Pittsburgh in 1988, the company listed two Target stores in Hilliard, Ohio, and Columbia, Md., among 20 customers on its website. It disabled the page by Friday.

One theory, Christin said, is that the network Fazio used was connected to Target's payment network with links to its registers. That would have allowed the attackers to go from the one system to the other.

“It is not that big of a leap, if everything is connected, which happens more often than you'd think (for cost-savings and convenience reasons),” Christin said.

Breaking into the contractor's system can be as simple as bombarding employees with computer viruses by email or dropping USB drives in the parking lot, where a curious employee might pick it up and plug it into a computer to see what's on it and unleash a virus, Brumley said.

The attackers could have posed as the contractor in order to breach Target's systems, said Martin Lindner, a principal engineer in the CERT division at the Software Engineering Institute at Carnegie Mellon.

The attackers could have taken their time if no one noticed the intrusion, he added.

“There were probably five other stepping stones that took place before they got to the jewels,” he said.

As with disease outbreaks, forensic computer analysts are looking for “patient zero” — in this case, the first computer infected, Brumley said. From there, they will look for the original source.

“I'm sure this is just one of many avenues they're exploring,” Brumley said. “Even if they have backtracked it to Russia, that doesn't mean it originated in Russia. It just means that was as far as they could go.”

Fazio's IT system and security measures are in compliance with industry practices, the owner said, declining to comment on what he described as an ongoing federal investigation into the technical causes of the breach.

“We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive remedies to enhance the security of client/vendor connections,” he said in a statement.

The Tribune-Review's ongoing CyberRattling: The Next Threat series has revealed how hackers need to find just one way inside a victim's computer system, while companies must try to protect every possible gap. A single coding mistake, in the wrong hands, can be an opening to be exploited.

Target has said its customers won't be responsible for any losses.

First Choice Federal Credit Union of New Castle filed a federal lawsuit against Target last month, seeking reimbursement for canceling and reissuing cards for customers and saying it faces potential exposure for fraudulent charges on customers' accounts.

Andrew Conte is a Trib Total Media staff writer. Reach him at 412-320-7835 or

Add Andrew Conte to your Google+ circles.




Show commenting policy

Most-Read Stories

  1. For Steelers outside linebacker Jones, size is not an obstacle
  2. Pirates top Cardinals, 5-2, on Davis’ homer; Alvarez, McCutchen hurt
  3. Steelers notebook: Team cuts 15 players, including LB So’oto, RB Hall
  4. Latrobe law firm’s secretary pleads guilty to income tax evasion
  5. Steelers cornerbacks Allen, Gay, Taylor have something to prove
  6. Dem Wolf eyes shale’s ‘golden egg’ to boost school funding
  7. Indiana County township ‘afraid for the water’ fights waste well
  8. Washington & Jefferson football team is set to make some D-III history
  9. Western Pennsylvania drivers at bottom of insurer’s safety rankings
  10. Pennsylvania investigators get truck to aid in finding child predators
  11. Mystery continues to surround Hill District slaying
Subscribe today! Click here for our subscription offers.