Target did indeed do a blast to customers to offer one year of free credit monitoring. The problem is scammers are also on the prowl and are sending out similar emails.
Target even says it has identified and stopped at least 12 scams preying on consumers via email, Facebook and other outlets.CNN: Did you get an email from Target?
I’m not surprised in the least that phishers are copy-catting Target’s email and are trying to compromise even more information from users.
What did surprise me was how easy both Epsilon and Target made it for the phishers. The official Target emails were signed with DKIM, but they were signed by target.bfi0.com. All a phisher has to do is register a random domain and sign with a similar key. The mail will pass authentication checks and look to most people exactly like the official Target email.
That mail should have gone out with a From: address in the target.com namespace. That mail should have been signed by target.com. Target should have published a DMARC record. I understand Target probably wanted to get the email out as fast as possible. But they sacrificed security for speed, and have opened their customers up to even more information compromises.
Last week I was mentally giving Target a D for their response to this. The more I learn about what they’ve done (or failed to do) just with the email campaign, the more I think they should get a F.