Reports from the Target breach investigation continue to trickle in, with Brian Krebs now citing multiple sources close to the investigation that have traced the initial compromise to login credentials stolen through a phishing email.

Last week, we discussed how attackers can steal credentials without using malware through data-entry phishing. While this tactic is a common and highly effective technique, the latest report on Target alleges that Citadel, a password-stealing derivative of the ZeuS banking Trojan, was responsible for stealing login credentials from Target vendor Fazio Mechanical, which provided attackers with the foothold they needed in Target’s network.

How does this type of attack work? It’s pretty simple. Malware that steals credentials will employ a key logger, which can be used to track data a user types into a keyboard, which is then typically saved on a hard disk and periodically sent to a remote server, where the attacker can access and parse the data.


An example of an email with a ZeuS malware file attached.

Another way for malware to access credentials is if the user saves passwords in a browser. Most browsers (FireFox, for example) will save this data in a weak format, which is easily broken and viewed by the attacker.

This type of malware is usually delivered through an attachment in a spear-phishing email. See the accompanying screenshot for a phishing email that contain an attachment with ZeuS malware.

Ideally, technical defenses catch these types of attacks, but as anyone who follows the security industry knows, malware gets past those solutions all of the time. You can have a firewall, intrusion detection system, anti-virus, and inline email blockers; but if you don’t have someone analyzing the data from those systems, you aren’t seeing those attacks and are still vulnerable. The latest 0-day exploit or malware iteration can still catch even the most vigilant enterprise off guard.

Regardless of whether an attack uses password-stealing malware or old-fashioned social engineering, it still introduces itself through your email users, and the Target breach is further evidence that a well-trained user base is a critical element to a robust security posture.