An e-mail phishing attack sent to Target's air conditioning and refrigeration contractor could be to blame for the company's data breach.
Data security reporter Brian Krebs blogged Wednesday that the breach "appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer."
Krebs said investigators think the source traces back to network credentials Target issued to Fazio Mechanical, a Pittsburgh-area air conditioning and refrigeration firm. The breach that unleashed credit card and personal data of over 110 million consumers may have started at least two months before thieves began stealing the data from thousands of Target registers, sources close to the investigation said.
Read more: Target CEO reveals timeline of breach discovery, response
Sources also said the malware was Citadel, "a password-stealing bot program that is a derivative of the ZeuS banking trojan," but that information is unconfirmed.
Fazio confirmed earlier in February it was the victim of a "sophisticated cyber attack operation" investigated by the Secret Service and possibly linked to the Target data breach.
"Like Target, we are a victim of a sophisticated cyber attack operation," owner Ross Fazio said in a statement. "We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive initiatives that will further enhance the security of client/vendor connections making them less vulnerable to future breaches."
Fazio's statement said the data connection to Target was for electronic billing, contract submission and project management but did not specify which areas of Target's online operations were accessed externally.