CNN warns about Target copy-cat phishes

Target did indeed do a blast to customers to offer one year of free credit monitoring. The problem is scammers are also on the prowl and are sending out similar emails.
Target even says it has identified and stopped at least 12 scams preying on consumers via email, Facebook and other outlets.CNN: Did you get an email from Target?

I’m not surprised in the least that phishers are copy-catting Target’s email and are trying to compromise even more information from users.
What did surprise me was how easy both Epsilon and Target made it for the phishers. The official Target emails were signed with DKIM, but they were signed by target.bfi0.com. All a phisher has to do is register a random domain and sign with a similar key. The mail will pass authentication checks and look to most people exactly like the official Target email.
That mail should have gone out with a From: address in the target.com namespace. That mail should have been signed by target.com. Target should have published a DMARC record. I understand Target probably wanted to get the email out as fast as possible. But they sacrificed security for speed, and have opened their customers up to even more information compromises.
Last week I was mentally giving Target a D for their response to this. The more I learn about what they’ve done (or failed to do) just with the email campaign, the more I think they should get a F.

Target "acquires data"
NetSol opts users into new $1850 security program

Related Posts

Target "acquires data"

It was our priority to inform as many guests as quickly as possible. Relevant emails were pulled from a variety of sources.
@AskTarget

Read More

They really think we're stupid

Read More

DMARC: an authentication framework

A new email industry group was announced this morning. DMARC is a group of industry participants, including large senders, large receivers and relevant intermediaries working on a framework to reduce the harm from phishing.
DMARC is working on a standard to allow senders to publish sending policies and receivers to act on those policies. Currently, senders who want receivers to not deliver unauthenticated email have to negotiate private agreements with the ISPs to make that happen. This is a way to expand the existing programs. Without a published standard, the overhead in managing individual agreements would quickly become prohibitive.
It is an anti-phishing technique built on top of current authentication processes. This is the “next step” in the process and one that most people involved in the authentication process were anticipating and planning for. I’m glad to see so many big players participating.
 

Read More