The data thieves who attacked Target Corp. stole the network credentials of a heating and refrigeration contractor via phishing e-mails sent to the company’s employees, according to the blogger who first revealed the breach.

Data security reporter Brian Krebs blogged Wednesday at that Target’s breach started with a “malware-laced e-mail phishing attack” on employees of Sharpsburg, Pa.-based Fazio Mechanical Services Inc.

Krebs cited “multiple sources close to the investigation” and said the phishing e-mails were sent at least two months before thieves started hoovering up card data from cash registers.

“Two of those sources said the malware in question was Citadel — a password-stealing bot program that is a derivative of the ZeuS banking trojan — but that information could not be confirmed,” Krebs said.

Phishing e-mails are a common tactic thieves use to try to get people to click on a malicious link or download an infected file.

Fazio’s main tool for detecting malicious software on its internal system was a free version of Malwarebytes Anti-Malware, Krebs said, which wasn’t adequate. It’s intended for spot use by individual users, and not an organization.

Krebs reported that a former member of Target’s security team, whom he did not identify, told him that nearly all Target vendors use an external network called Ariba, which he described as an external billing system, and a Target project management and contract submissions portal called Partners Online.

Fazio Mechanical also would have had access to Target’s Property Development Zone portal, the source said.

The source speculated that the digital connections could give a vendor access to Target’s corporate network.

Cyberthieves made off with the payment card data of 40 million people who bought merchandise at Target’s U.S. stores from Nov. 27 to Dec. 15. The company later said the personal information of 70 million customers was also taken.

The heist is one of the country’s largest recorded data security breaches and remains under investigation.

The Minneapolis-based retailer declined to comment on Krebs’ latest post, citing the ongoing investigation.

Dick Roberts, a spokesman for Fazio Mechanical, said he couldn’t discuss the situation. “We’re continuing to cooperate with the authorities on the investigation and can’t comment further,” he said.

The company’s information technology system and security measures are in full compliance with HVAC industry practices, he said.

Last week Fazio Mechanical issued a statement saying its data connection with Target was “exclusively for electronic billing, contract submission and project management” and that no other Fazio customers were affected by the security breach.

Citadel is a popular piece of malware that’s been around for a long time and is “well engineered,” said Curt Wilson, senior research analyst at Burlington, Mass.-based Arbor Networks. It has been used in other point-of-sale security breaches at merchants in the past two years, he said.

Wilson said Krebs’ blog doesn’t offer enough information to know what type of phishing e-mails were sent to Fazio’s employees.

According to recent research by Websense Inc. in San Diego, the volume of phishing e-mails is dropping, but criminals are getting more skillful at targeting them. One of the most dangerous subject lines, Websense said: Invitation to connect on LinkedIn.

Other research shows it takes just three phishing e-mails to get someone to click on a link or attachment, although that doesn’t always lead to a compromise.

Wilson agreed that if Fazio was using only the free version of Malwarebytes for detecting malware on its system, that was “woefully inadequate.”

“That’s a pretty glaring oversight,” Wilson said. “They blew it.”

Karen Master, a spokeswoman for Sunnyvale-based Ariba, described Ariba as a cloud-based business network companies use to find and conduct business with their vendors. No payment information is exchanged on it, she said.

Target uses software from Ariba to manage transactions with vendors, Master said. The software is housed on Target’s own servers, and Target hosts and manages the software itself and doles out its own Active Directory credentials to vendors.

Ariba does not provide any Active Directory credentials, Master said, and “therefore would not have been involved in the breach.”