CNN warns about Target copy-cat phishes

Target did indeed do a blast to customers to offer one year of free credit monitoring. The problem is scammers are also on the prowl and are sending out similar emails.
Target even says it has identified and stopped at least 12 scams preying on consumers via email, Facebook and other outlets.CNN: Did you get an email from Target?

I’m not surprised in the least that phishers are copy-catting Target’s email and are trying to compromise even more information from users.
What did surprise me was how easy both Epsilon and Target made it for the phishers. The official Target emails were signed with DKIM, but they were signed by target.bfi0.com. All a phisher has to do is register a random domain and sign with a similar key. The mail will pass authentication checks and look to most people exactly like the official Target email.
That mail should have gone out with a From: address in the target.com namespace. That mail should have been signed by target.com. Target should have published a DMARC record. I understand Target probably wanted to get the email out as fast as possible. But they sacrificed security for speed, and have opened their customers up to even more information compromises.
Last week I was mentally giving Target a D for their response to this. The more I learn about what they’ve done (or failed to do) just with the email campaign, the more I think they should get a F.

Related Posts

Target "acquires data"

It was our priority to inform as many guests as quickly as possible. Relevant emails were pulled from a variety of sources.
@AskTarget

Read More

DMARC: Please Be Careful!

(Cross posted from Spam Resource.)
Every couple of days, somebody new pops up on the DMARC-Discuss mailing list to ask some question or share an observation. It’s great to see people interested and joining the conversation. Clearly, DMARC interest and adoption are growing. What’s really frustrating, though, is that for about a quarter of the new subscribers, their first mailing list message goes to the spam folder in my Gmail account. It has become sort of an intelligence test I apply to new subscribers — I’ve stopped digging those messages out of the spam folder. I’m figuring that if they can’t figure out how to implement a DMARC record, or they don’t understand that it’s not really compatible with mailing lists nor is it meant for hobbyist domains, then I think perhaps they’ve got some things they’ve got to figure out before they’re ready to join the discussion.
To that end, let me take a moment to jot down some recommendations for folks who are considering implementing DMARC.

Read More

Hotmail moves to SPF authentication

Hotmail has recently stopped using Sender ID for email authentication and switched to authenticating with SPF. The protocol differences between SenderID and SPF were subtle and most senders who were getting a pass at Hotmail were already publishing SPF records.
From an email in my inbox from September:

Read More