Stratfor Victims Receiving Followup Messages From Attackers
The gang behind the attack on Stratfor over Christmas Eve is still making things difficult for the intelligence analysis firm by sending out malicious emails.
Claiming to be part of the Anonymous hacktivist collective, this group breached several Strategic Forecasting servers over Christmas Eve and waltzed off with over 800,000 password hashes belonging to individuals and corporations who have subscribed to the organization's publications. Credit card numbers and other sensitive data were also part of the haul.
An eWEEK reader who also subscribes to Stratfor publications forwarded a Jan. 5 email message he received that purported to be from George Friedman, president of Stratfor, but was actually from the attackers. The email mocked the circumstances around the Stratfor breach and contained both Friedman's home and cell phone numbers.
"To show our appreciation for your continued support, we will be making available all of our premium content *as a free service* from now on," according to the email.
This was clearly not legitimate, and the senders made no attempt to try to be, as they included the Anonymous tag line, "We are Anonymous. We do not forgive. We do not forget. We are legion. Expect us!" at the end. There was also a second note appended at the end bragging about all the activities the collective has been involved in over the past few months.
A few hours later, Stratfor recipients received yet another email purporting to be from Stratfor warning that the earlier message and other similar variants which had attachments or asked for private information were fake.
"I also want to assure everyone that Stratfor would never ask customers and friends to provide personal information through the type of attachment that was part of the email at issue," Friedman wrote in the email.
However, Mattijs Koot, a Ph.D. student at the University of Amsterdam, who had received both messages, found several items in this second email that seemed a little suspicious. The mailserver for the second email and one of the links in the email just didn't look right as they pointed to en25.com. The "from" header on regular mailings said "STRATFOR" but the latest email had "Stratfor," Koot added.
"Authentic STRATFOR mailings often link to images on en25.com but that does not permit me to trust that a host in the en25.com domain, which also has a yet-unknown IP address, is a source for authentic-only STRATFOR mailings," Koot wrote on his blog about the mailserver that sent the message.
He also noted that the link to unsubscribe from future emails usually pointed to app.response.stratfor.com, but the latest email linked back to en25.com. If the email is authentic, the effort appears to be "clumsy" on Stratfor's part, according to Koot.
Stratfor has not responded to eWEEK's queries to verify the email.
Everyone is on the edge about data breaches and malicious email, leading some people to even question warning messages. Koot even wondered whether Stratfor's Twitter and Facebook accounts, which contain the same text, was still under the publishing firm's control.
In previous data breaches, there were concerns that scammers would send spam and phishing emails to all the people whose information was leaked. The original attackers contacting the victims directly to gloat some more appears to be a new development.