Target Credit Card Fraud: The gift that keeps on giving (spam)
December 31, 2013 4:09 PM

Victim of Target credit card fraud followed up by a massive flood of spam. We're curious what exactly is going on.

So, my wife got an email from Best Buy thanking her for her order. Being that she hadn't ordered anything from them, she took a look and... long story short, it looks exceptionally likely that her card was compromised in the Target fiasco. We've contacted Best Buy and the bank and are working through the extended customer service hell involved in straightening out the charges.

Right after she got off the phone with Best Buy, she started getting bombarded with emails. In the span of maybe 20 minutes, over 400 emails have come through. All of them have a long sequence of numbers as the subject, and some malformed HTML as the body. I've set up a filter in her email to shunt them off to a folder so they don't get in the way, but we're curious. Anyone else in a similar boat and getting this spammy overload, and is there much else we can/should do about it?
posted by neilbert to Computers & Internet (12 answers total) 7 users marked this as a favorite
Are you sure the order confirmation was from Best Buy? Fake order confirmation emails are a common phishing scheme, and if you clicked a link from the email, that could explain the deluge of spam right after. The bank confirmed that your card was charged?
posted by payoto at 4:19 PM on December 31, 2013


Yes, it was a real order. We saw the charge on the bank site and both Best Buy and the bank were contacted by phone and their CSRs saw the transaction.
posted by neilbert at 4:23 PM on December 31, 2013


Well, they have her real name and zip code information (where the card was used). Presumably they used it to fish out her "real" email address and create/compromise her Best Buy account and make the purchase.

Is her email address findable (associated with her real name on FaceBook, Twitter, or other Social Sites)? Is it her real name @ something.com?

It may be that they're attempting the order, and if it goes through, great. If not (or even if) bombard the stupid victim for shutting them down quickly or try to overwhelm/phish more iformation out of them, but using a screwed up mail bot system.
posted by tilde at 4:33 PM on December 31, 2013


You may not be able to stop the current flow, but to ward off future issues, change how you use email and online accounts.

First of all, disassociate this email account as the main contact for any social or shopping sites.

Secondly, for the future, use a secondary email account specifically for shopping sites, something with a crazy hard password that you generally don't log in to (use one of those generators?). Use it to sign up for social media and shopping sites, and forward emails to her main email accounts.

Other options:

- use throw away email addresses that forward to her account (services or get your own domain).

- use the + trick with a gmail shopping account (bestbuy+emailname@gmail.com amz+emailname@gmail.com). This doesn't work everywhere.

I'd change her email password just in case, as well as make sure she hasn't got any accounts information (shopping, bank, social) stored in the email box. Do a back up of it as well. I do keep emails and passwords online, but in a password protected google docs file which might be worthless for protection.

I had set up a new email when I was job hunting (along the lines of tilde.jobhunter@gmail.com) and used it in all my correspondence, posting, and resumes until I got further along in the process. It forwarded to my main email for monitoring. It got broken into three times (even with hard passwords) and used to spam, harvest email addresses, and had the contents nuked a couple of times.

She might think about just getting a new email address if the flow does not abate and the spam filters you have cannot handle it. If possilbe, turn off downloading of images on all email for a while, unknown email after a while.
posted by tilde at 4:43 PM on December 31, 2013


payoto: "Fake order confirmation emails are a common phishing scheme, and if you clicked a link from the email, that could explain the deluge of spam right after"

While that's certainly a possible scenario, I think the mechanism here might be the exact opposite. The deluge of spam is intended to drown out real order confirmation emails. I'm pretty sure I've read about this but can't find a direct source right now. In this case, it seems like the fraudsters screwed up the timing and didn't initiate the spam flood soon enough to mask the Best Buy email.
posted by mhum at 5:00 PM on December 31, 2013


Came here to say what mhum said, so I'll just second it.
posted by davejay at 9:41 PM on December 31, 2013


I doubt it's related to the Target fiasco. Someone probably hacked her email and/or Best Buy account. Change your passwords. If they stole her credit card, why would they have used her real email address? It makes no sense.
posted by empath at 10:33 PM on December 31, 2013


Thanks all. After sleeping on it, we agree that it's probably not Target-related, but someone hacked her Best Buy password. The flood of spam seems more likely to be tapering off, and does seem more likely to be an attempt to bury the order email rather than gather info. Doesn't appear implemenation was the hacker's strongest suit...
posted by neilbert at 8:20 AM on January 1, 2014


use the + trick with a gmail shopping account (bestbuy+emailname@gmail.com amz+emailname@gmail.com). This doesn't work everywhere.

Small point, but just fyi this is backwards --

emailname+whatever@gmail.com will go to emailname@gmail.com; the idea is that this makes it easily filterable in gmail. It is true that a lot of websites won't accept the plus sign (which is frustrating and annoying and wrong).
posted by inigo2 at 6:33 AM on January 2, 2014


Thank you inigo2, I usually manage to get it right, then screw it up because it looks wrong so then I make it wrong. :)
posted by tilde at 8:56 AM on January 2, 2014


Actually, maybe it is related to the Target hack after all.
Target's starting to realize that quite a bit more data was swiped than it previously thought—specifically, the names, mailing addresses, phone numbers, and e-mail addresses of 70 million customers. Whoops.
posted by tilde at 8:10 AM on January 10, 2014


Just to close things up here. We did get in touch with Best Buy customer service. They agreed it was a fraudulent order - the fraudster changed the shipping address to a PO Box in Portland, but they kept our street on it as well to get the charge to go through. Best Buy refunded the money to my wife's checking account and all seemed well. Until last week, when we got a hand-addressed envelope from Best Buy customer service. Open it up and there's a piece of mail that was attempted to be sent to the fraudulent address, but returned because the address didn't actually exist. Open that inner piece of mail up and there's a check... for the amount of the fraudulent purchase. As best as I can figure, when Best Buy cancelled the order, the product had already gone out. Best Buy got UPS to not deliver it and return it, which when it came back, triggered a credit in their system... which they mailed out.

Needless to say, we won't be cashing that check.
posted by neilbert at 6:27 AM on July 28, 2014


« Older Gamer teen to coder   |   Truck + plow blade. Snow-covered driveway ending... Newer »
This thread is closed to new comments.