DMARC Failed to Protect Against Walmart Spam

Think that DMARC is all that you need to prevent your company from email spam? Think again.

Last week, there was a spam campaign that imitated a Walmart.com receipt. An email was sent to Walmart customers falsely confirming the purchase of a large flat screen TV costing approximately $1,000. The cinematic home experience was to be enjoyed by someone else, since the receipt showed the item was being shipped to an address that would be unfamiliar to the customer.

Upon receiving this email, the natural reaction would be to click on the link in email to find out more about the fraudulent transaction. However, doing so would require a visit to a malicious webpage that would download malware. That malware would then share credit card information and banking credentials with the scammers.

We’ve been hearing about DMARC as the solution to exactly this kind of email scam. In this particular spam campaign, the emails didn’t actually come from Walmart’s domain name.

Walmart.com (spelled with one “l”) is the real domain name. The company also owns Wal-mart.com. For either one of those domains, there would be a DMARC record published. If an email had been sent by the real Walmart, there would be a signature in the email that can be checked against Walmart’s registered domains. The email would be cryptographically confirmed as having been sent by Walmart. That’s the whole point of a DMARC record.

DMARC shows the true provenance of an email. If an email is not cryptographically signed, it should be rejected because that shows that it was not sent from an official source – in this case, Walmart. In this case, the domain name used to send the email wasn’t Walmart – it just appeared that way. If you were not careful, it would have been easy to be fooled. The email just came from a domain that looked very similar to that used by Walmart.

In fact, there are over 140 variations of misspellings of the Walmart domain name that are in use, such as “Wallmart.org” and “wallmart.net.” As a customer receiving the email, you might not even have noticed that Walmart was spelled incorrectly. Since none of those domain names are valid and do not belong to Walmart, Walmart did not have a DMARC record published for any of those domains. From the victim’s perspective, he sees “Walmart” spelled correctly in the “From Name,” but the email address (the domain portion of the email address) was not a DMARC protected domain. This, combined with high-resolution graphics and a professional look and feel makes for a convincing email, effectively mimicking an actual online purchase confirmation from Walmart. However, the emails were not being rejected because they didn’t fail the DMARC test. The DMARC test was never actually performed.

We believe that DMARC is a good thing. We’re happy that people are using DMARC. We believe that there will be some spam campaigns that will be blocked because of a failure to comply with DMARC, but in this case, DMARC wouldn’t have helped them at all. That’s why it’s important to use DMARC as one tool in the fight against phishing, as opposed to a single method to stop phishing. It is far from an all-encompassing solution.
Similar instances of phishing attacks are lodged against major brands each day. What are some of the other lessons we can learn? Please feel free to share your comments below.

Build Phishing Countermeasures to Protect Your Brand
Human sensors: How encouraging user reporting strengthens security

Leave a Reply