At this point, we can be fairly certain that phishing was involved in the one of the largest data breaches in US history. Krebs was on the case and reported earlier this month that cyber thieves had phished a company that was doing HVAC work for Target. Of course, this is an on-going investigation and the usual caveats apply, but it looks like an employee of a contractor received an email and was tricked into downloading malware. The hackers were then able to access the retailer’s main network from the vendor’s own internal network.
Why a company that does heating maintenance work would have network access that would ultimately allow hackers to exploit POS machines and servers is better explained in other places. But one overlooked aspect of this incident is how thorough the hackers were in their preliminary surveillance, which depended heavily on scanning publiclyavailable files.
Krebs points to evidence that the cyber thieves picked up important clues about their victim’s internal network structure from files, specifically file metadata, which was found in a part of Target’s web domain dedicated to vendors. In this special subdomain, contractors and, as we now know, determined hackers could find all kinds of documents on how to submit invoices and worker orders along with other administrative information.
In effect, there’s a trove of data about internal bureaucratic procedures that’s Google-able!
There’s nothing at this point to suggest that hackers learned vital details used in the attack from the file contents itself—although I strongly suspect the documents are now being carefully reviewed.
Krebs was able to download a bunch of Excel spreadsheets and by scanning for file properties—metadata that’s contained in all MS Office documents— was able to learn that one of the sheets was last printed to a device whose Active Directory name started with letters “TTC”.
Krebs then shows that these initials are used as part of Target’s overall network resource naming convention. Wow! So the hackers may have been able to take some good guesses, based on the metadata, on which areas of the network were more target rich—so to speak.
In case you’ve just tuned into the Metadata Era, here’s an important take-away: metadata is powerful and revealing.
The hidden connections between phishing attacks, file contents, and file metadata are further explored in our recently published eBook, “Anatomy of a Phish”. By the way, it’s now also available on iTunes.