CNN warns about Target copy-cat phishes

Target did indeed do a blast to customers to offer one year of free credit monitoring. The problem is scammers are also on the prowl and are sending out similar emails.
Target even says it has identified and stopped at least 12 scams preying on consumers via email, Facebook and other outlets.CNN: Did you get an email from Target?

I’m not surprised in the least that phishers are copy-catting Target’s email and are trying to compromise even more information from users.
What did surprise me was how easy both Epsilon and Target made it for the phishers. The official Target emails were signed with DKIM, but they were signed by target.bfi0.com. All a phisher has to do is register a random domain and sign with a similar key. The mail will pass authentication checks and look to most people exactly like the official Target email.
That mail should have gone out with a From: address in the target.com namespace. That mail should have been signed by target.com. Target should have published a DMARC record. I understand Target probably wanted to get the email out as fast as possible. But they sacrificed security for speed, and have opened their customers up to even more information compromises.
Last week I was mentally giving Target a D for their response to this. The more I learn about what they’ve done (or failed to do) just with the email campaign, the more I think they should get a F.

Related Posts

DMARC: an authentication framework

A new email industry group was announced this morning. DMARC is a group of industry participants, including large senders, large receivers and relevant intermediaries working on a framework to reduce the harm from phishing.
DMARC is working on a standard to allow senders to publish sending policies and receivers to act on those policies. Currently, senders who want receivers to not deliver unauthenticated email have to negotiate private agreements with the ISPs to make that happen. This is a way to expand the existing programs. Without a published standard, the overhead in managing individual agreements would quickly become prohibitive.
It is an anti-phishing technique built on top of current authentication processes. This is the “next step” in the process and one that most people involved in the authentication process were anticipating and planning for. I’m glad to see so many big players participating.
 

Read More

SPF Fail: too many DNS lookups

I’ve had a couple folks come to me recently for help troubleshooting SPF failures. The error messages said the SPF record was invalid, but by all checks it was valid.
Eventually, we tracked the issue down to how many include files were in the SPF record.
The SPF specification specifically limits the number of lookups that can happen during a SPF check.

Read More

Gmail sending out warnings for 512 bit DKIM keys

As an update to yesterday’s post, Gmail is contacting postmasters at domains signing with 512 bit keys to warn them of the upcoming changes. This message also clarifies “DKIM keys failing.” Messages signed with 512 bit keys or less will be treated as unsigned by Gmail in the next week or so.

Read More