The air conditioning firm whose remote access credentials were abused in the massive Target data breach probably had them stolen by a run-of-the-mill phishing attack, a security researcher has reported.

According to Brian Krebs – who has become the single most authoritative source for post-Target breach revelations – an inside source told him that Pennsylvania-based Fazio Mechanical Services was attacked two months before November’s disastrous breach, possibly using the Citadel keylogger more common to online bank phishing campaigns.

In a statement last week, Fazio had described itself as the “victim of a sophisticated cyber attack operation,” and said it had complied with industry practices, something Krebs said investigators now “took issue” with.

Fazio is also said to have used the free version of the popular Malwarebytes anti-malware client which does not offer real-time protection against malware. This software is also not licensed for business use, which requires that firms upgrade to the SME or Enterprise version.

A conventional anti-malware client would probably have detected Citadel, if indeed that malware was the type used. However, phishing attacks can bypass that form of security if a more customised (i.e. unknown) Trojan is used so the point could be moot.

As disturbing is the unconfirmed possibility that Target itself employed no two-factor authentication or account logging to protect partner access, something that would put it in serious breach of the industry PCI DSS 2.0 standard.

Krebs points out that the firm might have believed this was not necessary if it had isolated the network segments that account had access to, but this posture makes a number of assumptions. The real protection from this sort of abuse is to monitor and restrict account privileges (using a least privilege system) for all users regardless of whether they are partners or internal admins.

The attack certainly highlight the incredible vulnerability of organisations to simple phishing attacks that focus on weak points, particularly partners over whose security policy weaknesses might not be obvious to the eventual victim. The attacker simply probes a list of known partners (possibly after researching public sources of information on the target’s network and security), until one succumbs to the attack.

“Ideally, technical defenses catch these types of attacks, but as anyone who follows the security industry knows, malware gets past those solutions all of the time,” said Aaron Higbee, CTO of anti-phishing training firm PhishMe.

“You can have a firewall, intrusion detection system, anti-virus, and inline email blockers; but if you don’t have someone analyzing the data from those systems, you aren’t seeing those attacks and are still vulnerable. The latest 0-day exploit or malware iteration can still catch even the most vigilant enterprise off guard.

“Regardless of whether an attack uses password-stealing malware or old-fashioned social engineering, it still introduces itself through your email users, and the Target breach is further evidence that a well-trained user base is a critical element to a robust security posture.”