Fake Target breach notification leads to phishing and complex scams

The extensive Target breach has resounded far and wide in US media, and its customers should worry about their personal or credit card information being misused.

After the initial breach revelation in late December, the company has started sending out breach notices to potentially affected customers, and continued to do so in the wake of the discovery of additional compromised information.

But cyber scammers have also started send out notifications in Target’s name, trying to trick users into sharing their personal information, as well as to complete online surveys.

According to the number of these spam emails collected by Malcovery in the last few days, the campaign is not (yet) massive.

The email in question tries to get the victims’ attention but proclaiming “Alert to Target Shoppers – your identity is at risk” in the subject line. Currently, the email is sent from a Yahoo email address that obviously has nothing to do with Target.

But the worrisome content of the email might nevertheless spur some users to click on the offered links (click on the screenshot to enlarge it):

This email is not a real, straightforward phishing email. Users who follow the links are taken via a series of redirects to a page with a survey and offering a $1000 shopping voucher Sears/JCPenney/Kohl’s/Macy’s as an incentive, reports Gary Warner, Malcovery co-founder and chief technologist.

But once that survey is completed, they are redirected to new surveys on different pages run on systems by different ad companies.

Among other things, the victims are instructed to answer questions that can be used to create a pretty accurate idea of their shopping activities, which will then be directly tied to their real-world identity, as the victims are then urged to enter their name, address, phone number, email address, date of birth, etc.

Once that task is over, there are still a lot of personal questions to be answered:

Then questions about employment, education and their health are trotted out, and all the while the scammers dangle the reward (which has not turned to a $150 Walmart gift card) before the users.

Then another set of surveys is trotted out. And then the victim is required to download an add-on (a ShopAtHome.com Toolbar) and make it its default search provider and default new tab. Finally, they are told they must buy a set of knives or sign up for a credit report service, and then to buy more things.

The complexity of this scam is astounding. Unfortunately, there are always – always! – enough inexperienced Internet users who fall for it, and make it worth while for the scammers.

Don't miss