Post-Breach STRATFOR Mailings: Fake vs Real?

Saturday, January 07, 2012

Matthijs R. Koot

C4363f41d25c216c53c8d71a1ac44a90

 

I'm subscribed to the free edition of STRATFOR and my e-mail address was among the leaked STRATFOR data.

On January 6th 2012 at 12:15 CET I received this message, which is clearly fake for the following reasons:

 

  1. it contains links to leaked data, rants, cursing and general weirdness such as a link to "butthurtreportform.jpg";
  2. the use of language is different language from that observed in regular mailings;
  3. the message is non-HTML, while I never received a non-HTML message from STRATFOR before;
  4. the FROM-header is anomalous: it contains "", which is a non-existent address, and moreover, different from the FROM-header observed in regular mailings (which I shan't needlessly disclose here);
  5. the mail headers indicate I received the message from zulu705.server4you.de [188.138.100.209] while all mailings I ever received from STRATFOR were received from mail{01,02,03}.response.stratfor.com [204.92.19.{141,170,171}].

At 18:24 CET, I received this message from STRATFOR, containing a warning for fake mails like the above. I believe this mail is authentic (i.e., sent by STRATFOR), but is confusing for the following reasons:

  1. the mail headers indicate I received the message from yet another mailserver:  e213.en25.com [209.167.231.213]. Authentic STRATFOR mailings often link to images on en25.com but that does not permit me to trust that a host in the en25.com domain, which also has a yet-unknown  IP address, is a source for authentic-only STRATFOR mailings;
  2. the FROM header contains "Stratfor" while regular mailings always contained "STRATFOR";
  3. the SUBJECT contains prefix "Stratfor: (...)" while regular mailings never did;
  4. the message contains the line "Click here to unsubscribe from future emails", where "Click here" links to en25.com; regular mailings, however, contain the line "To manage your e-mail preferences click here", where "click here" links to app.response.stratfor.com.

If indeed this second message is authentic, which I believe it is, to me it seems rather clumsy that STRATFOR did not take this into account. Surely, infosec-savvy STRATFOR subscribers will look for clues to distinguish real STRATFOR mail from fake STRATFOR mail. Why then act in a manner that obfuscates four such clues?

STRATFOR knows about the breach since at least Dec 24/25, so I assume there has been plenty of time to get advise on coping with fake mailings. Not yet so on December 29th though, when STRATFOR sent out this message, stating:

"(...) we will be sending our free Geopolitical Weekly and Security Weekly to you via email as we have always done. "

D'OH! STRATFOR just told 860k subscribers that they can expect regular e-mail from STRATFOR, seemingly not realizing that this creates momentum for any criminals among the 860k subscribers, who can now take advantage of the trust that STRATFOR (unwittingly) built in less paranoid subscribers. (Mind that I publicly mention this only after fake mailings started.) 

Furthermore, I received this question: "Is @mrkoot suggesting that official #Stratfor mails aren't usually digitally signed?". My answer: "I have never seen a digital signature attached to a STRATFOR mailing".

This is not to suggest that digital signatures would have solved anything, as they too could have been compromised and, more importantly, require users to understand implications of a broken signature, and more importantly yet, require users to be observant enough to notice when a digital signature is missing where it is normally present.

For "company-approved communications", STRATFOR currently refers to their Facebook page and Twitter account. Which I hope are under their control.

Cross-post from blog.cyberwar.nl

Possibly Related Articles:
13233
Phishing
Information Security
Email Phishing scam breach Customers Stratfor Digital Signature
Post Rating I Like this!
C4363f41d25c216c53c8d71a1ac44a90
Matthijs R. Koot This sentence:

(...) it contains "", which is a non-existent address (...)

should have said:

(...) it contains "", which is a non-existent address (...)

Where dot=. and at=@.
1326010579
C4363f41d25c216c53c8d71a1ac44a90
Matthijs R. Koot HA! And THAT should have said

george dot friedman at stratfor dot com

between chevrons.
1326010741
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.