Categories
Computer & Network Security|Information Security>Data Breach|Social Engineering>Phishing|Compliance>Privacy

Scammers take advantage of Target Breach victims

Can you recognize a phishing email?  Target recently sent out an email to those affected by the data breach with information about the breach and steps to take if your information was involved.  That email can be viewed on Target’s website.

target

Scammers are also taking advantage of the situation and sending their own Target breach notification emails.  Can you spot the differences in a real and fake email?

Honestly, I am surprised that Target sent their email the way they did.  One of the first ways to identify a suspicious email is whether or not you recognize the sender.  In the case of the legitimate Target email it came From: Target.com (TargetNews@target.bfi0.com).  This immediately raises a red flag in my head because I don’t know the domain bfi0.com.  This is a standard tactic of scammers to try and trick users into trusting the Target part of the email and ignoring the next part.  bfi0.comThis was an oversight on Target’s part to instill trust in their constituents.  I would not trust this email if I had received it.  I dug a little more and a WHOIS lookup shows that the bfi0.com domain is registered to an Epsilon Data Management who tracks email marketing campaigns.  I now know this is the real Target email.

The biggest items to notice in the real email are that they are not asking you to click on anything, except the Target.com website,  and they do not ask you for any information.

Scammers will try and make you feel compelled to click on links and divulge personal information.

If you have already received one of the fake emails, you should immediately delete it.  If you clicked on anything, you need to make sure your antivirus is up to date, and it would probably be a good idea to change the passwords on your online accounts.

If you divulged personal information from the scam email, you need to immediately contact your bank and or credit company and notify them to be vigilant of fraud activity.

Finally, Target is offering free credit monitoring to anyone affected by their breach, and I recommend signing up for it immediately.  You can see the details on Target’s website.

As a general rule, if you don’t recognize the sender, don’t trust the email.

 

Categories
Compliance>PCI|Compliance>Privacy

Top 25 Passwords from 2013: 123456 reigns supreme

2013 crowned a new champion of the #1 password based on passwords collected from data breaches.  The top password for 2012 was ‘password,’ but 2013 announces that ‘123456,’ reigns supreme.

SplashData, a security firm, releases their findings each year of the top passwords discovered from breaches.  This year, due to the size of the Adobe breach, you’ll see some Adobe passwords make the list.

  1. 123456 (+1)
  2. password (-1)
  3. 12345678 (0)
  4. qwerty (+1)
  5. abc123 (-1)
  6. 123456789
  7. 111111 (+2)
  8. 1234567 (+5)
  9. iloveyou (+2)
  10. adobe123
  11. 123123 (+5)
  12. admin
  13. 1234567890
  14. letmein (-7)
  15. photoshop
  16. 1234
  17. monkey (-11)
  18. shadow
  19. sunshine (-5)
  20. 12345
  21. password1 (+4)
  22. princess
  23. azerty
  24. trustno1 (-12)
  25. 000000

So what can you glean from this?  First, if your password is in this list, change it immediately.  It is literally one of the first passwords someone will try if you are targeted.  Second, it shows why users should not use the names of the application they are protecting in their passwords nor easy to remember letter and number combinations.

Securit360 recommends using a password manager to store complex and unique passwords for as many situations as you can  Where you can’t use a password manager, we recommend using passphrases made up of letters, numbers and symbols.  The longer the word the better, preferably 10 or more characters.  If you have to choose between long or complex, choose long.  Don’t use common words or phrases, don’t be predictable.  Don’t share passwords among accounts, but find a way to make a unique password for each account. Don’t use real information in your security questions, but if you do, use a phrase and not just a single word.  Turn on 2 factor authentication if it is available.