Undoubtedly you’ve heard about Target's recent loss of millions of consumers credit card data and associated PIN data. Who hasn’t at this point? Target at this crucial moment should of course be laser focused on rebuilding consumer trust and naturally consumers are on red alert scrutinising everything Target related looking for signs of the attackers abusing their stolen information. I was, therefore, very interested to see an e-mail message arrive from Target with decidedly dodgy attributes that did everything possible to make a user concerned (and saw an opportunity to show the tell tale signs of a nasty scam). This e-mail from Target is a lesson in how to make an e-mail that looks like a scammer’s (but is actually legitimate) and is bad practice that should be avoided by all enterprises. Let me step you through what makes this all look so iffy.
Don't Miss: MWC 2017 Highlights
First things first, the screen shot labeled Exhibit A shows the e-mail is from target.bfi0.com. The bfi0.com bit is curious and concerning. This is a technique a great deal of attackers use. They put the legitimate company name in front of their own domain – e.g. microsoft.somedomainiown.com. The hope is that everyone reads the Microsoft bit and ignores the bit afterwards. I spotted this and immediately browsed to bfi0.com (on a secure system) to see what the real page was. Turns out it is entirely blank or if you refresh it a few times sometimes returns a “Permission Denied” page. There is no explanation of their business, what the e-mail is about or anything to explain the nature of their business. That is extremely concerning as again they are behaving just like many cyber criminal attack pages would. Exhibit B shows us one of the other links in this e-mail we are supposed to click. Users are often advised in security training that they should hover over and check where a link will take them before they click it to insure it is what they expect. Exhibit B shows one of the many links which simply put looks incredibly dodgy.
The e-mail address from which this e-mail was sent also does little to rebuild my confidence. Take a look at the beautifully horrible address in Exhibit C. Many users would decide this is a scam e-mail (or wouldn’t even notice any of this which is more concerning given how often true scammers behave nearly identically).
The final step of the process is to identify what this bfi0.com really is. A quick whois (you can use a web based tool like this to look up any domain you like) enables us to identify the owner of the domain and gives away their business. You can see the results in exhibit D. It turns out that this highly suspect bfi0.com domain name (which has no home page) is actually a domain owned by Epsilon data management (historically BigFoot Interactive thus the odd domain). This company sends and tracks e-mails on behalf of companies so they can tell which customers clicked links and what they found interesting. A little more rummaging and you can see this e-mail is legitimate (though I have no idea why I received it given I’m not a customer and haven’t signed up – but perhaps I’m just forgetful), but clearly demonstrates many of the same traits as a malicious or scam e-mail.
I showed only a small number of the hoops I jumped through over a few minutes to validate the e-mail (technical folk think DKIM, SPF, message source etc). What hope do users have of making a decision about the legitimacy of e-mails when the good guys behave like this? Target needs to look closely at how it rebuilds consumer trust and suspicious looking e-mails is not going to help. That said, it did offer me the chance to show you the kinds of things to check for in a suspicious e-mail and for that I suppose I’m thankful.