Hacked POS Systems
◦ Cybercriminals broke into Target’s cash registers (likely via weak security or a third-party vendor).
2. Installed Malware
◦ Used BlackPOS, a $2,000 tool that steals card data from memory when swiped.
3. Tested & Scaled
◦ Ran tests (Nov 15–27), then infected 1,800+ registers.
4. Stole Data Daily
◦ Malware copied card numbers and sent 11GB+ of data to Target’s own servers.
5. Moved Data Out
◦ Uploaded stolen info to 3 hacked servers (Miami, Brazil, U.S.).
Cybercriminals broke into Target’s point-of-sale network and installed malware on the terminals to obtain all credit and debit card data swiped on the infected terminals. Cybercriminals exploit remote access to obtain copies of the collected data during the peak network traffic hours between 10 am and 6 PM. The data was then copied to three servers outside Target, making it difficult for intrusion detection software to spot it.
The steps taken by cybercriminals to carry out theft are as follows:
1.Obtain remote access credentials of third-party vendors through phishing emails, or exploit the vendor’s privileges to bypass security defenses and enter the payment system network.
2.After installing malicious software, conduct small-scale tests to verify the feasibility of data theft and transmission processes.
3.Gradually deploy the malware, stealing a certain amount of data daily. To avoid detection, the attacker transfers the data in batches to three temporary servers during peak network hours, and then consolidates the data.
4.Finally, the stolen data is sold in bulk on dark web platforms.
Between November 15 and 27, hackers infiltrated Target’s point-of-sale network and installed the malware BlackPOS on terminals. The software captures credit and debit card data as the transaction server processes the transaction and saves it on one of Target’s hacked servers. Some diva hackers used remote access capabilities to retrieve more than 11 gigabytes of data per day during daytime spikes in network traffic and replicate it to three external servers, including those in Miami, Brazil, and elsewhere in the United States.
The steps have been taken by cybercriminals as follows:
1. obtained this firm’s user code and password by sending a simple phishing email to which a Fazio employee responded;
2. remotely penetrated Target’s network and accessed the company’s payment system network by exploiting vulnerabilities;
3. installed malware called BlackPOS on the terminals;
4. tested and realized the system-wide installation;
5. used remote access capability to retrieve a copy of the amassed data during the network’s normal peak traffic periods and copied to three servers outside of Target.
Steps followed by the cybercriminals in the target data breach:
1. The attackers sent a phishing email to an employee of Fazio Mechanical Services, a third-party HVAC vendor with remote access to Target’s network. The employee fell for the scam, providing credentials that allowed the cybercriminals to infiltrate Target’s systems.
2. Using the stolen credentials, the attackers gained access to Target’s network. They exploited weaknesses in the segmentation between the vendor portal and the payment system network, moving laterally to reach the point-of-sale (POS) terminals.
3. Between November 15 and 27, 2013, the attackers installed malware (similar to BlackPOS) on Target’s POS terminals. This malware was designed to scrape unencrypted credit/debit card data from the memory of the terminals during transactions.
4. The stolen data was temporarily stored on Target’s internal servers. To avoid detection, the attackers retrieved the data (over 11 GB) during peak traffic hours (10 a.m. to 6 p.m.) and transferred it to external servers in Miami, Brazil, and the U.S., before ultimately moving it to a server in Moscow.
5. The malware deleted traces of its activity, making it hard to detect. Target’s FireEye security system flagged the intrusion multiple times (including Level 1 alerts), but the internal team ignored or dismissed these warnings, failing to act in time.
6. The stolen card data was sold in batches on black market websites like “rescator.so,” priced between $20–$100 per card, with guarantees on validity and balance. The criminals used Bitcoin for transactions to avoid detection.
The cybercriminals followed a series of coordinated steps to commit the theft:
Initial Access Acquisition: They began by targeting employees of third-party vendors or directly targeting the company’s staff through phishing emails. In one instance, a Fazio employee fell for a simple phishing email, inadvertently providing the cybercriminals with the user code and password of the firm. This granted them the initial access point they needed. Network Penetration and Exploitation: Using the obtained credentials or exploiting vulnerabilities in the system, they remotely penetrated the target company’s network. They bypassed security defenses and gained access to the company’s payment system network, which was a critical step in reaching their ultimate goal of stealing sensitive data. Malware Installation and Testing: Once inside the network, they installed malicious software such as BlackPOS on the terminals. This malware was specifically designed to capture data. After installation, they conducted small-scale tests to verify the feasibility of the data theft and transmission processes, ensuring that the malware was functioning correctly and that they could exfiltrate data without being detected immediately. Data Exfiltration and Staging: Confident that their setup was working, they gradually deployed the malware across the system, stealing a certain amount of data daily. To avoid detection, they timed their data transfers carefully. During peak network hours, when traffic was high and anomalies might be less noticeable, they transferred the stolen data in batches to three temporary external servers. This staging process allowed them to consolidate the data over time.
Final Data Consolidation and Monetization: After accumulating a significant amount of stolen data on the external servers, they consolidated it into a single dataset. Finally, they sold the stolen data in bulk on dark web platforms, where it could be purchased by other malicious actors for various illicit purposes such as identity theft, financial fraud, or further cyberattacks.
In summary, the cybercriminals followed a multi-step process that involved gaining initial access through phishing or exploiting vulnerabilities, installing and testing malware, exfiltrating data in a stealthy manner, consolidating it, and ultimately selling it on the dark web.
1. Initial intrusion: Use phishing emails (e.g., emails disguised as seemingly normal) to induce Dean Rao to click or interact with them, so as to implant malicious programs (e.g., Trojan horses) to break through the basic protection of the device and obtain the initial access rights of the device.
2. Privilege escalation and lurking: Malicious programs can be used to retain backdoors in the device, dig out system vulnerabilities, gradually increase access permissions, and hide their own activities (such as camouflage processes and tampering with logs), and lurk for a long time to avoid detection, and continuously collect device environment information (such as network configuration and storage content).
3. Data reconnaissance and theft: scan the device to store, locate files containing sensitive information such as student information, scientific research data, and management documents, and use encrypted channels (such as building anonymous FTP and encrypted network connections) or segmented transmission to transfer the data to the controlled server to complete the theft.
4. Follow-up cover-up: After the theft is completed, the operation log is deleted, the local backup is destroyed, the follow-up traceability investigation of the enterprise is interfered with, and even misleading false clues are further implanted, which increases the difficulty of investigation.
First, cybercriminals obtained the vendor’s remote access account passwords through phishing emails. Second, they used the vendor’s privileges to access Target’s internal network. Then, they installed and tested malware that could grab information in Target’s network of point-of-sale terminals. After a successful test, the criminals began remotely copying large amounts of credit card data, grabbing data that was not encrypted at the moment of the transaction. Finally, the data was transferred to a server and sold on the black market.
The cybercriminals obtained the code and password of a Target vendor by sending a phishing email —— remotely penetrated Target’s network —— exploited vulnerabilities in the security measures —— accessed the company’s payment system network which was linked to the point-of-sale terminal network —— installed malware on the terminals —— tested and installed the malware on all of Target’s terminals —— made a copy of the data in the instance when the server has to store the raw data (unencrypted) in its random access memory —— copied all cards used and sent to remote servers during the network’s normal peak traffic periods.
Hackers gained initial access to Target’s network by phishing a Fazio Mechanical Services employee (a Target vendor) for login credentials. Between November 15 and 27, 2013, they penetrated Target’s POS network, installed Black POS like malware on terminals to scrape credit/debit card data, and tested its functionality. After validation, the malware was deployed on about 1,800 terminals, which began capturing card numbers. Daily between 10 a.m. and 6 p.m., over 11GB of stolen data was remotely exfiltrated to temporary servers in Miami, Brazil, and the U.S., then transferred to a final server in Moscow.
So cybercriminals first sent a phishing email to trick a Target vendor into giving up their login code and password. That let the crooks remotely break into Target’s network. They then found weak spots in the security measures and sneaked into the company’s payment system network, which was connected to the point-of-sale (POS) terminal network.
Next, they installed malware on the terminals. After testing it, they spread the malware to all of Target’s terminals. Here’s the tricky part: when the server had to store unencrypted raw data in its temporary memory, the attackers copied that data. They grabbed info from all the cards used and sent it to remote servers during the network’s usual busy traffic times to avoid getting caught.
It’s like someone stealing a house key, breaking in, finding a secret door to the safe, planting a bug, then waiting for the safe to open temporarily to copy all the valuables—all while doing it during a busy party so no one notices!
The steps that cybercriminals take to commit theft are as follows:
1. The cybercriminals obtained account information of Target’s vendor Fazio via a phishing email, penetrating its network and accessing the payment system.
2. Between November 15-27, 2013, they deployed BlackPOS-like malware on point-of-sale terminals to intercept unencrypted card data during transactions.
3. After testing, the malware was installed on 1,800 terminals. Daily during peak hours, over 11GB of data was remotely stolen and transferred through servers in Miami, Brazil, and the U.S. to Moscow.
4. Malware will erase the traces left by its own activities, which makes it very difficult to be detected. Target’s FireEye system issued top-level alerts, but the team ignored them and disabled the automatic malware removal feature, failing to prevent the attack.
5. The stolen data is being sold in large quantities on the black market website at a price of 20 to 100 dollars per card.
1.They tricked a contractor: First, they sent a fake email to a Target vendor (an HVAC company) and stole their login info.
2.Snuck into Target’s systems: Using those stolen credentials, they got inside Target’s network and found a way to the checkout systems.
3.Installed digital spyware: They planted malicious software on Target’s cash registers that secretly copied credit/debit card details every time a customer swiped.
4.Stole data quietly: For weeks, they collected millions of card numbers, hiding their theft by only transferring data during busy hours.
5.Got caught too late: Target’s security tools actually spotted the hack early but ignored the warnings—letting the thieves escape with the data before anyone noticed.
The whole breach happened because of one weak link (the vendor’s email security) and Target’s slow reaction to alarms.
The cybercriminals first obtained the user code and password of Fazio Mechanical Services, a vendor of Target, by sending a phishing email to a Fazio employee, allowing them to remotely penetrate Target’s network. Between November 15 and 27, 2013, they infiltrated Target’s point-of-sale network and installed the BlackPOS malware on approximately 1,800 terminals, which was designed to capture credit and debit card data when cards were swiped. They tested the system to ensure it worked properly before activating the malware to copy card numbers. From November 27 to December 18, they remotely accessed Target’s network during normal peak traffic hours (10 a.m. to 6 p.m.) to retrieve the stolen data (over 11 gigabytes), storing it on three external servers (in Miami, Brazil, and the U.S.) before transferring it to a server in Moscow. The stolen data was then sold in batches on the black market website rescator.so, with prices ranging from $20 to $100 per card, and the cybercriminals offered customer service and guarantees for the sold data.
First, they targeted Fazio Mechanical Services, a Target vendor, with a phishing email. Somebody at Fazio fell for it and gave up their login info, which gave the crooks their first access.
Next, they used those stolen credentials to break into Target’s network. They found weak spots in the security and got into the part connected to the cash registers—the POS terminals where cards get swiped.
Then they installed BlackPOS malware on about 1,800 POS terminals. This stuff secretly grabs card info when someone swipes their card, like a digital pickpocket.
Once the malware was working, they stole data daily between 10 AM and 6 PM (probably to blend in with busy network traffic). They copied the data to three external servers (Miami, Brazil, US) and then moved it to a server in Moscow.
Finally, they sold the card info on black market sites in huge batches—up to a million cards at a time, priced $20 to $100 per card. Total nightmare for everyone involved.
Hackers first gained access to Target’s network by phishing a Fazio Mechanical Services employee (a Target vendor) to obtain login credentials. Between November 15 and 27, 2013, they penetrated Target’s POS network, installed Black POS-like malware on terminals to steal credit/debit card data, and tested the malware’s functionality. After validation, the malware was deployed on approximately 1,800 terminals, which started capturing card numbers. Daily between 10 a.m. and 6 p.m., over 11GB of stolen data was remotely exfiltrated to temporary servers in Miami, Brazil, and the U.S., then transferred to a final server in Moscow.
First, they got into Target’s point-of-sale (POS) systems, probably through some weak security or by using a third-party vendor. Then, they installed this malware called BlackPOS, which is a tool that costs around $2,000. It steals card data from memory when the cards are swiped at the registers.
They ran some tests from November 15 to 2 to7 make sure everything was working, and then they scaled it up, infecting over 1,800 registers. Every day, the malware would copy the card numbers and send more than 11 gigabytes of data to Target’s own servers. During the daytime when there was more network traffic, they used remote access to retrieve the data and then copied it to three external hacked servers—one in Miami, one in Brazil, and another somewhere else in the U.S.
So basically, they broke in, installed the malware, tested it, scaled it up, stole the data daily, and then moved it out to their own servers.
The cybercriminals first got into Target’s cash register systems between November 15 and 27, 2013. They sent a phishing email to a vendor to steal login info, then used it to access Target’s network. They put harmful software on the registers to copy credit card data when cards were swiped. They tested the software, then installed it on all 1,800 registers. Every day from 10 a.m. to 6 p.m., they remotely took the stolen data (over 11GB) and stored it on three servers in Miami, Brazil, and the U.S., then moved it to a server in Moscow. Target’s security alerts were ignored, letting the attack continue.
First, from November 15th to 27th, the attackers launched phishing email attacks against third-party suppliers to obtain their credentials for accessing Target’s network. Using these credentials, they remotely infiltrated Target’s network and discovered vulnerabilities in the connection between the payment system and the POS terminals. Subsequently, they installed a memory-scraping software called BlackPOS (a black-market tool worth approximately $2,000) on the POS terminals, which was specifically designed to steal unencrypted card data temporarily stored in memory during card swiping. To avoid detection, the attackers chose to steal data in batches during the peak network traffic hours (from 10 a.m. to 6 p.m.) every day. Finally, from November 27th to December 18th, the stolen data (totaling over 11GB) was transferred through Target’s internal controlled servers and ultimately sent to servers located in Miami, Brazil, and the United States.The attackers temporarily stored some of the data on servers in Moscow and later sold it in bulk on the black-market website rescator.so (each card was priced at $20 to $100, with Bitcoin accepted as payment).
Cybercriminals first obtained access credentials for Target’s suppliers through phishing emails and infiltrated its network 2. From November 15 to 27, 2013, they installed BlackPOS malware on point-of-sale terminals, which stole unencrypted bank card data from memory1. After the test was successful, they deployed malware on 1,800 terminals, remotely stealing data during peak network hours and storing it on an external server every day. Although the FireEye system of Target issued an alert, the attack was not blocked because the team ignored and disabled the automatic clearing function. Finally, the data was transferred to a server in Moscow and sold in bulk on the black market website for $20 to $100 per card 5. This series of operations took advantage of vendor vulnerabilities, system configuration flaws, and human negligence, resulting in a large-scale data leak.
This incident of cybercriminals breaching Target’s point-of-sale network is a stark reminder of the persistent and evolving threats in the digital age. Let’s delve into the details and implications.
The successful intrusion into Target’s point-of-sale network underscores significant vulnerabilities in the company’s security infrastructure. The installation of malware on terminals highlights how easily cybercriminals can infiltrate systems, especially when security protocols are not robust enough. This malware was a sophisticated tool that enabled the unauthorized collection of highly sensitive credit and debit card data, which can lead to severe financial losses and identity theft for affected customers.
The cybercriminals’ strategy of exploiting remote access during peak network traffic hours, specifically between 10 am and 6 PM, was a calculated move. During these times, networks are typically busier, making it more challenging for intrusion detection software to distinguish between normal traffic and malicious data transfers. This demonstrates the attackers’ understanding of network operations and their ability to use this knowledge to their advantage.
The act of copying the stolen data to three servers outside Target further complicated the situation. By distributing the data across multiple external servers, the criminals increased the difficulty of detecting and intercepting the unauthorized transfer. This multi – server approach also serves as a safeguard for the attackers, ensuring that even if one server is discovered, the others may remain undetected, and the data remains accessible to the criminals.
From a business perspective, this incident had far – reaching consequences for Target. It not only led to financial losses due to potential fraud and legal liabilities but also severely damaged the company’s reputation. Customers’ trust, which is crucial for any business, was eroded, and it took significant effort and resources for Target to regain consumer confidence.
In conclusion, this cyberattack on Target serves as a cautionary tale for all organizations. It emphasizes the importance of continuous investment in advanced cybersecurity measures, regular security audits, and employee training to prevent similar breaches. Moreover, it calls for the development of more intelligent intrusion detection systems that can better identify malicious activities even during peak network traffic and across multiple external servers.
If you have any thoughts on how companies can enhance their security further or if there are other aspects of this case you’d like to explore, feel free to share.
1. Initial Access
Phishing Attack: Sent deceptive emails to Fazio Mechanical (Target’s HVAC vendor) to steal login credentials.
Vendor Exploit: Used stolen credentials to breach Target’s network through the vendor’s remote access portal.
2. Network Penetration
Lateral Movement: Navigated from HVAC systems to payment network by exploiting weak internal controls.
Malware Deployment: Installed BlackPOS malware on point-of-sale (POS) terminals to scrape credit card data.
3. Data Exfiltration
Data Collection: Stored stolen card details on Target’s servers temporarily.
Exfiltration: Transferred 11 GB of data to external servers (Miami, Brazil, U.S.) during peak traffic hours to avoid detection.
4. Monetization
Black Market Sales: Sold card data on “rescator.so” in batches (price: 20–100 per card).
Cover-Up: Malware erased traces, delaying detection (breach discovered by banks, not Target).
Key Weaknesses Exploited:
Third-party vendor security gaps
Delayed response to FireEye alerts (Document 2)
Lack of payment system segmentation
The cybercriminals first hacked a vendor of Target, got its login info via a phishing email, and used that to enter Target’s network. Then they put malware on Target’s checkout systems to steal credit card data when cards were swiped. They copied the stolen data to outside servers during busy hours to avoid notice. Also, Target’s security system gave alerts, but the company ignored them, so the attack kept going.
First, cybercriminals obtained the password for a vendor’s remote access account through phishing emails. Second, they used the vendor’s credentials to infiltrate Target’s internal network. Then, they installed and tested malware capable of harvesting information from Target’s point-of-sale terminal network. After successful testing, the attackers began remotely extracting massive amounts of credit card data, capturing unencrypted transaction information, deleting activity logs, and destroying local backups. Finally, the stolen data was transferred to external servers and sold on the black market.
Hackers used phishing emails to obtain the account and password of Target’s air conditioning supplier. They then used these credentials to breach the Target network, bypass the security system and infiltrate the cash register terminal network. They implanted malicious software to steal the credit card data entered by customers when they swiped their cards. They also transmitted the stolen 11GB of data to an overseas server during the peak shopping hours every day. The entire process remained undetected for several weeks. The key vulnerability was that Target’s security team repeatedly ignored the automatic alerts from the system and even disabled the protection functions.
In summary, the process consists of four steps: invasion → infiltration → theft → dissemination.
Cybercriminals’ theft steps follow the logic of “reconnaissance – intrusion – control – theft – exfiltration”. By integrating automated tools (such as botnets) and targeted strategies, they form a systematic attack chain. Both ordinary ransomware attacks and advanced APT (Advanced Persistent Threat) attacks must go through the above steps to achieve data theft. The key to defense lies in blocking the execution of each link.
Intel Gathering: Scan for vulnerabilities (e.g., unpatched Apache servers), phishing (fake HR emails to steal credentials).
Tools: Shodan for exposed services, Darkweb forums for leaked VPN accounts.
2. Initial Access
Vectors:
SQL injection via vulnerable web forms.
Malicious macro attachments (disguised as invoices).
Case: 2023 e-commerce breach started from a phishing link clicked by support staff.
3. Lateral Movement
Privilege Escalation: Use Mimikatz to steal admin tokens, pivot via RDP to finance systems.
Stealth: Camouflage traffic (e.g., exfiltrate data via DNS queries).
4. Data Exfiltration
Techniques:
Compress and encrypt data (AES-256) → Split into chunks → Upload to cloud storage (e.g., AWS S3 buckets).
Abuse legitimate tools (e.g., exfiltrate via Teams file sharing).
Scale: SMEs typically lose 5-10GB of core data (customer PII/financial records) per incident.
5. Monetization
Profit Channels:
Dark Markets: Sell credit card data at $0.5/record (e.g., Genesis Market).
Ransomware: Encrypt data → Demand Bitcoin (average ransom: $50k).
Money Laundering: Use cryptocurrency mixers (e.g., Wasabi Wallet) to obscure trails.
Defense Keys
Block Recon: Scan exposure surfaces (e.g., Nessus), block Shodan probe IPs.
Contain Movement: Network segmentation (VLANs) + least privilege access.
Detect Exfiltration: Monitor abnormal data flows (e.g., DLP tools).
Based on the case study, the cybercriminals followed these steps to execute the Target data breach:
1.Initial Compromise via Third-Party Vendor (Early November 2013)
2.Network Penetration and Lateral Movement
3.Malware Deployment (November 15-27, 2013)
4.Data Theft (November 27 – December 18, 2013)
5.Data Staging and Exfiltration
6.Final Transfer and Sale
Hacked POS Systems
◦ Cybercriminals broke into Target’s cash registers (likely via weak security or a third-party vendor).
2. Installed Malware
◦ Used BlackPOS, a $2,000 tool that steals card data from memory when swiped.
3. Tested & Scaled
◦ Ran tests (Nov 15–27), then infected 1,800+ registers.
4. Stole Data Daily
◦ Malware copied card numbers and sent 11GB+ of data to Target’s own servers.
5. Moved Data Out
◦ Uploaded stolen info to 3 hacked servers (Miami, Brazil, U.S.).
Cybercriminals broke into Target’s point-of-sale network and installed malware on the terminals to obtain all credit and debit card data swiped on the infected terminals. Cybercriminals exploit remote access to obtain copies of the collected data during the peak network traffic hours between 10 am and 6 PM. The data was then copied to three servers outside Target, making it difficult for intrusion detection software to spot it.
The steps taken by cybercriminals to carry out theft are as follows:
1.Obtain remote access credentials of third-party vendors through phishing emails, or exploit the vendor’s privileges to bypass security defenses and enter the payment system network.
2.After installing malicious software, conduct small-scale tests to verify the feasibility of data theft and transmission processes.
3.Gradually deploy the malware, stealing a certain amount of data daily. To avoid detection, the attacker transfers the data in batches to three temporary servers during peak network hours, and then consolidates the data.
4.Finally, the stolen data is sold in bulk on dark web platforms.
Between November 15 and 27, hackers infiltrated Target’s point-of-sale network and installed the malware BlackPOS on terminals. The software captures credit and debit card data as the transaction server processes the transaction and saves it on one of Target’s hacked servers. Some diva hackers used remote access capabilities to retrieve more than 11 gigabytes of data per day during daytime spikes in network traffic and replicate it to three external servers, including those in Miami, Brazil, and elsewhere in the United States.
The steps have been taken by cybercriminals as follows:
1. obtained this firm’s user code and password by sending a simple phishing email to which a Fazio employee responded;
2. remotely penetrated Target’s network and accessed the company’s payment system network by exploiting vulnerabilities;
3. installed malware called BlackPOS on the terminals;
4. tested and realized the system-wide installation;
5. used remote access capability to retrieve a copy of the amassed data during the network’s normal peak traffic periods and copied to three servers outside of Target.
Steps followed by the cybercriminals in the target data breach:
1. The attackers sent a phishing email to an employee of Fazio Mechanical Services, a third-party HVAC vendor with remote access to Target’s network. The employee fell for the scam, providing credentials that allowed the cybercriminals to infiltrate Target’s systems.
2. Using the stolen credentials, the attackers gained access to Target’s network. They exploited weaknesses in the segmentation between the vendor portal and the payment system network, moving laterally to reach the point-of-sale (POS) terminals.
3. Between November 15 and 27, 2013, the attackers installed malware (similar to BlackPOS) on Target’s POS terminals. This malware was designed to scrape unencrypted credit/debit card data from the memory of the terminals during transactions.
4. The stolen data was temporarily stored on Target’s internal servers. To avoid detection, the attackers retrieved the data (over 11 GB) during peak traffic hours (10 a.m. to 6 p.m.) and transferred it to external servers in Miami, Brazil, and the U.S., before ultimately moving it to a server in Moscow.
5. The malware deleted traces of its activity, making it hard to detect. Target’s FireEye security system flagged the intrusion multiple times (including Level 1 alerts), but the internal team ignored or dismissed these warnings, failing to act in time.
6. The stolen card data was sold in batches on black market websites like “rescator.so,” priced between $20–$100 per card, with guarantees on validity and balance. The criminals used Bitcoin for transactions to avoid detection.
The cybercriminals followed a series of coordinated steps to commit the theft:
Initial Access Acquisition: They began by targeting employees of third-party vendors or directly targeting the company’s staff through phishing emails. In one instance, a Fazio employee fell for a simple phishing email, inadvertently providing the cybercriminals with the user code and password of the firm. This granted them the initial access point they needed. Network Penetration and Exploitation: Using the obtained credentials or exploiting vulnerabilities in the system, they remotely penetrated the target company’s network. They bypassed security defenses and gained access to the company’s payment system network, which was a critical step in reaching their ultimate goal of stealing sensitive data. Malware Installation and Testing: Once inside the network, they installed malicious software such as BlackPOS on the terminals. This malware was specifically designed to capture data. After installation, they conducted small-scale tests to verify the feasibility of the data theft and transmission processes, ensuring that the malware was functioning correctly and that they could exfiltrate data without being detected immediately. Data Exfiltration and Staging: Confident that their setup was working, they gradually deployed the malware across the system, stealing a certain amount of data daily. To avoid detection, they timed their data transfers carefully. During peak network hours, when traffic was high and anomalies might be less noticeable, they transferred the stolen data in batches to three temporary external servers. This staging process allowed them to consolidate the data over time.
Final Data Consolidation and Monetization: After accumulating a significant amount of stolen data on the external servers, they consolidated it into a single dataset. Finally, they sold the stolen data in bulk on dark web platforms, where it could be purchased by other malicious actors for various illicit purposes such as identity theft, financial fraud, or further cyberattacks.
In summary, the cybercriminals followed a multi-step process that involved gaining initial access through phishing or exploiting vulnerabilities, installing and testing malware, exfiltrating data in a stealthy manner, consolidating it, and ultimately selling it on the dark web.
1. Initial intrusion: Use phishing emails (e.g., emails disguised as seemingly normal) to induce Dean Rao to click or interact with them, so as to implant malicious programs (e.g., Trojan horses) to break through the basic protection of the device and obtain the initial access rights of the device.
2. Privilege escalation and lurking: Malicious programs can be used to retain backdoors in the device, dig out system vulnerabilities, gradually increase access permissions, and hide their own activities (such as camouflage processes and tampering with logs), and lurk for a long time to avoid detection, and continuously collect device environment information (such as network configuration and storage content).
3. Data reconnaissance and theft: scan the device to store, locate files containing sensitive information such as student information, scientific research data, and management documents, and use encrypted channels (such as building anonymous FTP and encrypted network connections) or segmented transmission to transfer the data to the controlled server to complete the theft.
4. Follow-up cover-up: After the theft is completed, the operation log is deleted, the local backup is destroyed, the follow-up traceability investigation of the enterprise is interfered with, and even misleading false clues are further implanted, which increases the difficulty of investigation.
First, cybercriminals obtained the vendor’s remote access account passwords through phishing emails. Second, they used the vendor’s privileges to access Target’s internal network. Then, they installed and tested malware that could grab information in Target’s network of point-of-sale terminals. After a successful test, the criminals began remotely copying large amounts of credit card data, grabbing data that was not encrypted at the moment of the transaction. Finally, the data was transferred to a server and sold on the black market.
The cybercriminals obtained the code and password of a Target vendor by sending a phishing email —— remotely penetrated Target’s network —— exploited vulnerabilities in the security measures —— accessed the company’s payment system network which was linked to the point-of-sale terminal network —— installed malware on the terminals —— tested and installed the malware on all of Target’s terminals —— made a copy of the data in the instance when the server has to store the raw data (unencrypted) in its random access memory —— copied all cards used and sent to remote servers during the network’s normal peak traffic periods.
Hackers gained initial access to Target’s network by phishing a Fazio Mechanical Services employee (a Target vendor) for login credentials. Between November 15 and 27, 2013, they penetrated Target’s POS network, installed Black POS like malware on terminals to scrape credit/debit card data, and tested its functionality. After validation, the malware was deployed on about 1,800 terminals, which began capturing card numbers. Daily between 10 a.m. and 6 p.m., over 11GB of stolen data was remotely exfiltrated to temporary servers in Miami, Brazil, and the U.S., then transferred to a final server in Moscow.
So cybercriminals first sent a phishing email to trick a Target vendor into giving up their login code and password. That let the crooks remotely break into Target’s network. They then found weak spots in the security measures and sneaked into the company’s payment system network, which was connected to the point-of-sale (POS) terminal network.
Next, they installed malware on the terminals. After testing it, they spread the malware to all of Target’s terminals. Here’s the tricky part: when the server had to store unencrypted raw data in its temporary memory, the attackers copied that data. They grabbed info from all the cards used and sent it to remote servers during the network’s usual busy traffic times to avoid getting caught.
It’s like someone stealing a house key, breaking in, finding a secret door to the safe, planting a bug, then waiting for the safe to open temporarily to copy all the valuables—all while doing it during a busy party so no one notices!
The steps that cybercriminals take to commit theft are as follows:
1. The cybercriminals obtained account information of Target’s vendor Fazio via a phishing email, penetrating its network and accessing the payment system.
2. Between November 15-27, 2013, they deployed BlackPOS-like malware on point-of-sale terminals to intercept unencrypted card data during transactions.
3. After testing, the malware was installed on 1,800 terminals. Daily during peak hours, over 11GB of data was remotely stolen and transferred through servers in Miami, Brazil, and the U.S. to Moscow.
4. Malware will erase the traces left by its own activities, which makes it very difficult to be detected. Target’s FireEye system issued top-level alerts, but the team ignored them and disabled the automatic malware removal feature, failing to prevent the attack.
5. The stolen data is being sold in large quantities on the black market website at a price of 20 to 100 dollars per card.
1.They tricked a contractor: First, they sent a fake email to a Target vendor (an HVAC company) and stole their login info.
2.Snuck into Target’s systems: Using those stolen credentials, they got inside Target’s network and found a way to the checkout systems.
3.Installed digital spyware: They planted malicious software on Target’s cash registers that secretly copied credit/debit card details every time a customer swiped.
4.Stole data quietly: For weeks, they collected millions of card numbers, hiding their theft by only transferring data during busy hours.
5.Got caught too late: Target’s security tools actually spotted the hack early but ignored the warnings—letting the thieves escape with the data before anyone noticed.
The whole breach happened because of one weak link (the vendor’s email security) and Target’s slow reaction to alarms.
The cybercriminals first obtained the user code and password of Fazio Mechanical Services, a vendor of Target, by sending a phishing email to a Fazio employee, allowing them to remotely penetrate Target’s network. Between November 15 and 27, 2013, they infiltrated Target’s point-of-sale network and installed the BlackPOS malware on approximately 1,800 terminals, which was designed to capture credit and debit card data when cards were swiped. They tested the system to ensure it worked properly before activating the malware to copy card numbers. From November 27 to December 18, they remotely accessed Target’s network during normal peak traffic hours (10 a.m. to 6 p.m.) to retrieve the stolen data (over 11 gigabytes), storing it on three external servers (in Miami, Brazil, and the U.S.) before transferring it to a server in Moscow. The stolen data was then sold in batches on the black market website rescator.so, with prices ranging from $20 to $100 per card, and the cybercriminals offered customer service and guarantees for the sold data.
First, they targeted Fazio Mechanical Services, a Target vendor, with a phishing email. Somebody at Fazio fell for it and gave up their login info, which gave the crooks their first access.
Next, they used those stolen credentials to break into Target’s network. They found weak spots in the security and got into the part connected to the cash registers—the POS terminals where cards get swiped.
Then they installed BlackPOS malware on about 1,800 POS terminals. This stuff secretly grabs card info when someone swipes their card, like a digital pickpocket.
Once the malware was working, they stole data daily between 10 AM and 6 PM (probably to blend in with busy network traffic). They copied the data to three external servers (Miami, Brazil, US) and then moved it to a server in Moscow.
Finally, they sold the card info on black market sites in huge batches—up to a million cards at a time, priced $20 to $100 per card. Total nightmare for everyone involved.
Hackers first gained access to Target’s network by phishing a Fazio Mechanical Services employee (a Target vendor) to obtain login credentials. Between November 15 and 27, 2013, they penetrated Target’s POS network, installed Black POS-like malware on terminals to steal credit/debit card data, and tested the malware’s functionality. After validation, the malware was deployed on approximately 1,800 terminals, which started capturing card numbers. Daily between 10 a.m. and 6 p.m., over 11GB of stolen data was remotely exfiltrated to temporary servers in Miami, Brazil, and the U.S., then transferred to a final server in Moscow.
First, they got into Target’s point-of-sale (POS) systems, probably through some weak security or by using a third-party vendor. Then, they installed this malware called BlackPOS, which is a tool that costs around $2,000. It steals card data from memory when the cards are swiped at the registers.
They ran some tests from November 15 to 2 to7 make sure everything was working, and then they scaled it up, infecting over 1,800 registers. Every day, the malware would copy the card numbers and send more than 11 gigabytes of data to Target’s own servers. During the daytime when there was more network traffic, they used remote access to retrieve the data and then copied it to three external hacked servers—one in Miami, one in Brazil, and another somewhere else in the U.S.
So basically, they broke in, installed the malware, tested it, scaled it up, stole the data daily, and then moved it out to their own servers.
The cybercriminals first got into Target’s cash register systems between November 15 and 27, 2013. They sent a phishing email to a vendor to steal login info, then used it to access Target’s network. They put harmful software on the registers to copy credit card data when cards were swiped. They tested the software, then installed it on all 1,800 registers. Every day from 10 a.m. to 6 p.m., they remotely took the stolen data (over 11GB) and stored it on three servers in Miami, Brazil, and the U.S., then moved it to a server in Moscow. Target’s security alerts were ignored, letting the attack continue.
First, from November 15th to 27th, the attackers launched phishing email attacks against third-party suppliers to obtain their credentials for accessing Target’s network. Using these credentials, they remotely infiltrated Target’s network and discovered vulnerabilities in the connection between the payment system and the POS terminals. Subsequently, they installed a memory-scraping software called BlackPOS (a black-market tool worth approximately $2,000) on the POS terminals, which was specifically designed to steal unencrypted card data temporarily stored in memory during card swiping. To avoid detection, the attackers chose to steal data in batches during the peak network traffic hours (from 10 a.m. to 6 p.m.) every day. Finally, from November 27th to December 18th, the stolen data (totaling over 11GB) was transferred through Target’s internal controlled servers and ultimately sent to servers located in Miami, Brazil, and the United States.The attackers temporarily stored some of the data on servers in Moscow and later sold it in bulk on the black-market website rescator.so (each card was priced at $20 to $100, with Bitcoin accepted as payment).
Cybercriminals first obtained access credentials for Target’s suppliers through phishing emails and infiltrated its network 2. From November 15 to 27, 2013, they installed BlackPOS malware on point-of-sale terminals, which stole unencrypted bank card data from memory1. After the test was successful, they deployed malware on 1,800 terminals, remotely stealing data during peak network hours and storing it on an external server every day. Although the FireEye system of Target issued an alert, the attack was not blocked because the team ignored and disabled the automatic clearing function. Finally, the data was transferred to a server in Moscow and sold in bulk on the black market website for $20 to $100 per card 5. This series of operations took advantage of vendor vulnerabilities, system configuration flaws, and human negligence, resulting in a large-scale data leak.
This incident of cybercriminals breaching Target’s point-of-sale network is a stark reminder of the persistent and evolving threats in the digital age. Let’s delve into the details and implications.
The successful intrusion into Target’s point-of-sale network underscores significant vulnerabilities in the company’s security infrastructure. The installation of malware on terminals highlights how easily cybercriminals can infiltrate systems, especially when security protocols are not robust enough. This malware was a sophisticated tool that enabled the unauthorized collection of highly sensitive credit and debit card data, which can lead to severe financial losses and identity theft for affected customers.
The cybercriminals’ strategy of exploiting remote access during peak network traffic hours, specifically between 10 am and 6 PM, was a calculated move. During these times, networks are typically busier, making it more challenging for intrusion detection software to distinguish between normal traffic and malicious data transfers. This demonstrates the attackers’ understanding of network operations and their ability to use this knowledge to their advantage.
The act of copying the stolen data to three servers outside Target further complicated the situation. By distributing the data across multiple external servers, the criminals increased the difficulty of detecting and intercepting the unauthorized transfer. This multi – server approach also serves as a safeguard for the attackers, ensuring that even if one server is discovered, the others may remain undetected, and the data remains accessible to the criminals.
From a business perspective, this incident had far – reaching consequences for Target. It not only led to financial losses due to potential fraud and legal liabilities but also severely damaged the company’s reputation. Customers’ trust, which is crucial for any business, was eroded, and it took significant effort and resources for Target to regain consumer confidence.
In conclusion, this cyberattack on Target serves as a cautionary tale for all organizations. It emphasizes the importance of continuous investment in advanced cybersecurity measures, regular security audits, and employee training to prevent similar breaches. Moreover, it calls for the development of more intelligent intrusion detection systems that can better identify malicious activities even during peak network traffic and across multiple external servers.
If you have any thoughts on how companies can enhance their security further or if there are other aspects of this case you’d like to explore, feel free to share.
1. Initial Access
Phishing Attack: Sent deceptive emails to Fazio Mechanical (Target’s HVAC vendor) to steal login credentials.
Vendor Exploit: Used stolen credentials to breach Target’s network through the vendor’s remote access portal.
2. Network Penetration
Lateral Movement: Navigated from HVAC systems to payment network by exploiting weak internal controls.
Malware Deployment: Installed BlackPOS malware on point-of-sale (POS) terminals to scrape credit card data.
3. Data Exfiltration
Data Collection: Stored stolen card details on Target’s servers temporarily.
Exfiltration: Transferred 11 GB of data to external servers (Miami, Brazil, U.S.) during peak traffic hours to avoid detection.
4. Monetization
Black Market Sales: Sold card data on “rescator.so” in batches (price: 20–100 per card).
Cover-Up: Malware erased traces, delaying detection (breach discovered by banks, not Target).
Key Weaknesses Exploited:
Third-party vendor security gaps
Delayed response to FireEye alerts (Document 2)
Lack of payment system segmentation
The cybercriminals first hacked a vendor of Target, got its login info via a phishing email, and used that to enter Target’s network. Then they put malware on Target’s checkout systems to steal credit card data when cards were swiped. They copied the stolen data to outside servers during busy hours to avoid notice. Also, Target’s security system gave alerts, but the company ignored them, so the attack kept going.
First, cybercriminals obtained the password for a vendor’s remote access account through phishing emails. Second, they used the vendor’s credentials to infiltrate Target’s internal network. Then, they installed and tested malware capable of harvesting information from Target’s point-of-sale terminal network. After successful testing, the attackers began remotely extracting massive amounts of credit card data, capturing unencrypted transaction information, deleting activity logs, and destroying local backups. Finally, the stolen data was transferred to external servers and sold on the black market.
Hackers used phishing emails to obtain the account and password of Target’s air conditioning supplier. They then used these credentials to breach the Target network, bypass the security system and infiltrate the cash register terminal network. They implanted malicious software to steal the credit card data entered by customers when they swiped their cards. They also transmitted the stolen 11GB of data to an overseas server during the peak shopping hours every day. The entire process remained undetected for several weeks. The key vulnerability was that Target’s security team repeatedly ignored the automatic alerts from the system and even disabled the protection functions.
In summary, the process consists of four steps: invasion → infiltration → theft → dissemination.
Cybercriminals’ theft steps follow the logic of “reconnaissance – intrusion – control – theft – exfiltration”. By integrating automated tools (such as botnets) and targeted strategies, they form a systematic attack chain. Both ordinary ransomware attacks and advanced APT (Advanced Persistent Threat) attacks must go through the above steps to achieve data theft. The key to defense lies in blocking the execution of each link.
Target Data Breach Attack Chain :
Initial Access
Phished HVAC vendor credentials → Entered Target’s network
Lateral Movement
Exploited poor network segmentation → Reached POS systems
Malware Deployment (Nov 15–27, 2013)
Installed memory-scraping malware (BlackPOS variant) on terminals
Data Exfiltration
Stole 11 GB of card data → Routed through Miami/Brazil → Final dump to Moscow server
Evasion Tactics
Deleted traces + Used peak-hour transfers
FireEye alerts ignored by Target’s team
Monetization
Sold cards (20–100 each) on “rescator.so” via Bitcoin
Key Flaws: Weak vendor access control, ignored alerts, unencrypted POS data.
Cybercriminal Attack Steps
1. Reconnaissance
Intel Gathering: Scan for vulnerabilities (e.g., unpatched Apache servers), phishing (fake HR emails to steal credentials).
Tools: Shodan for exposed services, Darkweb forums for leaked VPN accounts.
2. Initial Access
Vectors:
SQL injection via vulnerable web forms.
Malicious macro attachments (disguised as invoices).
Case: 2023 e-commerce breach started from a phishing link clicked by support staff.
3. Lateral Movement
Privilege Escalation: Use Mimikatz to steal admin tokens, pivot via RDP to finance systems.
Stealth: Camouflage traffic (e.g., exfiltrate data via DNS queries).
4. Data Exfiltration
Techniques:
Compress and encrypt data (AES-256) → Split into chunks → Upload to cloud storage (e.g., AWS S3 buckets).
Abuse legitimate tools (e.g., exfiltrate via Teams file sharing).
Scale: SMEs typically lose 5-10GB of core data (customer PII/financial records) per incident.
5. Monetization
Profit Channels:
Dark Markets: Sell credit card data at $0.5/record (e.g., Genesis Market).
Ransomware: Encrypt data → Demand Bitcoin (average ransom: $50k).
Money Laundering: Use cryptocurrency mixers (e.g., Wasabi Wallet) to obscure trails.
Defense Keys
Block Recon: Scan exposure surfaces (e.g., Nessus), block Shodan probe IPs.
Contain Movement: Network segmentation (VLANs) + least privilege access.
Detect Exfiltration: Monitor abnormal data flows (e.g., DLP tools).
Based on the case study, the cybercriminals followed these steps to execute the Target data breach:
1.Initial Compromise via Third-Party Vendor (Early November 2013)
2.Network Penetration and Lateral Movement
3.Malware Deployment (November 15-27, 2013)
4.Data Theft (November 27 – December 18, 2013)
5.Data Staging and Exfiltration
6.Final Transfer and Sale