The cybersecurity blogger who broke the news of the massive data breach at Target continues to reveal how the hackers gained access to the retail giant's network.
Sources close to the investigation told Brian Krebs that the exposed consumer financial data of millions of Target shoppers "appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer," Krebs said Wednesday on his blog, Krebs on Security.
Last week, Krebs said the hackers snatched the data using credentials stolen from Fazio Mechanical Services Inc., a refrigeration, heating and air conditioning subcontractor that has worked at a number of Target stores.
The Sharpsburg, Pennsylvania-based company confirmed its link to the breach, saying it was also a victim of a "sophisticated cyber attack."
According to multiple sources close to the investigation, "those credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers," Krebs said.
Two of the sources said the hackers used a program called Citadel to steal Fazio's passwords.
Krebs also points out that Fazio did not completely have their guard up against an attack.
The company said last week that its security measures are in full compliance with industry practices. But Krebs says Fazio was using a free version of an anti-malware software, which is not intended for corporate use and does not offer real-time protection against threats.