Target Spams Email Appended List with Data Breach Notice
U.S.-based retailer Target, which recently suffered a massive data breach, has responded to that breach by hiring an email appender to append scraped email addresses (some of them closed for over a decade) to their customer list. Target then spammed that appended list over the past few days. The ESP is Epsilon, via its subsidiary Bigfoot Interactive.
I was traveling, but Laura Atkins at Word to the Wise blogged about her experience receiving this email. Several antispammers that I know reported seeing the spam in their spamtrap collections as well. After I got home, I checked my spamtrap collection, and found about a dozen spams to my own spamtraps after searching for spam sent from only one IP on one day (January 17).
Spamming an email appended list just to advertise products or services is bad enough. Email appending is one of the dirtiest spam practices that is not outright criminal. Spamming an appended list after cybercriminals stole your customer database, however, is an epic fail. Surely Target understood that cybercriminals will send phish emails to those email addresses? Surely Target understood that their emails would be taken for criminal phish by many customers, who would have deleted unread any email that claimed to come from Target? Apparently Target’s decisionmakers did NOT understand these simple facts that any remotely intelligent, non-technical Internet user knew without having to think further about it?
I would very much like to know what Epsilon was thinking to allow a customer to email an appended list from their IP ranges. Were they unaware that Target had hired an email appender?
While this situation shakes out, I have a recommendation. First, if you ever shopped at Target and used a credit or debit card that you still have, you should request a new card with a new number from your bank, credit union or financial institution. Second, if you must shop at Target in the future, shop in a physical store only (not at Target.com) and use cash to avoid giving Target your private information.
Sending IP: 206.132.3.176
Spam Sample:
Actual Headers:
Received: from bigfootinteractive.com (arm176.bigfootinteractive.com [206.132.3.176]) by <xxx> (Postfix) with ESMTP id <xxx> for <xxx>; Thu, 16 Jan 2014 16:##:## +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; d=target.bfi0.com; s=ei; c=simple/simple; q=dns/txt; i=@target.bfi0.com; t=<xxx>; h=From:Subject:Date:To:MIME-Version:Content-Type; bh=<xxx>=; b=<xxx>=; DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws; s=ei; d=target.bfi0.com; h=Received:Reply-To:Bounces_to:Message-ID:X-SS:X-BFI:Date:From:Subject:To:MIME-Version:Content-Type; b=<xxx>= Received: from [192.168.##.##] ([192.168.##.##:##] helo=<xxx>) by <xxx>.epsiloninteractive.com (envelope-from <<xxx>@target.bfi0.com>) (ecelerity 2.2.2.45 r(34222M)) with ESMTP id <xxx>; Thu, 16 Jan 2014 11:##:## -0500 Reply-To: =?iso-8859-1?B?<xxx>?= <<xxx>@target.bfi0.com> Bounces_to: Bounce.<xxx>@target.bfi0.com Message-ID: <<xxx>@target.bfi0.com> X-SS: <xxx> X-BFI: <xxx> Date: Thu, 16 Jan 2014 11:##:## EST From: =?iso-8859-1?B?<xxx>==?= <TargetNews@target.bfi0.com> Subject: Important message from Target to our guests To: <xxx> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="<xxx>"
Readable Email:
From: Target.com <TargetNews@target.bfi0.com>
To: <spamtrap>
Subject: Important message from Target to our guests
Reply-To: <<xxx>@target.bfi0.com
Dear Target Guest,
As you may have heard or read, Target learned in mid-December that criminals forced their way into our systems and took guest information, including debit and credit card data. Late last week, as part of our ongoing investigation, we learned that additional information, including name, mailing address, phone number or email address, was also taken. I am writing to make you aware that your name, mailing address, phone number or email address may have been taken during the intrusion.
I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian\222s® ProtectMyID® product activation code for this service, please go to creditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014.
<removed>
Thank you for your patience and loyalty to Target. You can find additional information and FAQs about this incident at our Target.com/databreach website. If you have further questions, you may call us at 866-852-8680.
Gregg Steinhafel
Chairman, President and CEO
5 Responses to Target Spams Email Appended List with Data Breach Notice