Friday, January 6, 2012

Post-Breach STRATFOR Mailings: Fake vs Real?

UPDATE 2012-01-11: I received this message from (the real) STRATFOR today, containing a MUST-READ reflection from George Friedman on "The Hack of Stratfor".

UPDATE 2012-01-10: yesterday I was Skype-interviewed as "Stratfor hacking victim" by Channel 4 News (UK).

UPDATE 2012-01-07: Question: "Is @mrkoot suggesting that official #Stratfor mails aren't usually digitally signed?". My answer: "I have never seen a digital signature attached to a STRATFOR mailing." I do not suggest that digital signatures would have solved anything, as they too could have been compromised and, more importantly, require users to understand implications of a broken signature, and more importantly yet, require users to be observant enough to notice when a digital signature is missing where it is normally present.

I'm subscribed to the free edition of STRATFOR and my e-mail address was among the leaked STRATFOR data. On January 6th 2012 at 12:15 CET I received this message, which is clearly fake for the following reasons:
  1. it contains links to leaked data, rants, cursing and general weirdness such as "butthurtreportform.jpg";
  2. the use of language is different language from that observed in regular mailings;
  3. the message is non-HTML, while I never received a non-HTML message from STRATFOR before;
  4. the FROM-header is anomalous: it contains "<george.friedman@stratfor.com>", which is a non-existent address, and moreover, different from the FROM-header observed in regular mailings (which I shan't needlessly disclose here);
  5. the mail headers indicate I received the message from zulu705.server4you.de [188.138.100.209] while all mailings I ever received from STRATFOR were received from mail{01,02,03}.response.stratfor.com [204.92.19.{141,170,171}]
At 18:24 CET, I received this message fom STRATFOR, containing a warning for fake mails like the above. I believe this mail is authentic (i.e., sent by STRATFOR), but is confusing for the following reasons:
  1. the mail headers indicate I received the message from yet another mailserver:  e213.en25.com [209.167.231.213]. Authentic STRATFOR mailings often link to images on en25.com but that does not permit me to trust that a host in the en25.com domain, which also has a yet-unknown  IP address, is a source for authentic-only STRATFOR mailings;
  2. the FROM header contains "Stratfor" while regular mailings say "STRATFOR";
  3. the SUBJECT contains prefix "Stratfor: (...)" while regular mailings never did;
  4. the message contains the line "Click here to unsubscribe from future emails", where "Click here" links to en25.com; regular mailings, however, contain the line "To manage your e-mail preferences click here", where"click here" links to app.response.stratfor.com.
If indeed this second message is authentic, which I believe it is, to me it seems rather clumsy that STRATFOR did not take this into account. Surely, infosec-savvy STRATFOR subscribers will look for clues to distinguish real STRATFOR mail from fake STRATFOR mail. Why then act in a manner that obfuscates four such clues?

STRATFOR knows about the breach since at least Dec 24/25, so I assume there has been plenty of time to get advise on coping with fake mailings. Not yet so on December 29th though, when STRATFOR sent out this mailing, stating:

"(...) we will be sending our free Geopolitical Weekly and Security Weekly to you via email as we have always done. "

D'OH! STRATFOR just told 860k subscribers that they can expect regular e-mail from STRATFOR, seemingly not realizing that this creates momentum for any criminals among the 860k subscribers, who can now take advantage of the trust that STRATFOR (unwittingly) built in less paranoid subscribers. (Mind that I publicly mention this only after fake mailings started.)

For "company-approved communications", STRATFOR currently refers to their Facebook page and Twitter account. Which I hope are under their control.

4 comments:

  1. It's no surprise that Stratfor would be using a new email server to send out communications. They are evidently in the process of securing their old email server after the compromise. :-)

    ReplyDelete
  2. @Security Leaders Group: I disagree. STRATFOR could have assigned the old hostnames and IP-addresses to the new server(s?) immediately, unless, and this IMHO is a necessary condition, there exists forensic purpose in keeping the compromised servers online at their own hostnames and IP addresses.

    The fact that a mailing from "STRATFOR" is received from a familiar hostname and IP address is an important clue, albeit an imperfect and certainly insufficient by itself, for distinguishing the real from the fake.

    ReplyDelete
  3. Could have, yes. But imagine a company that is 90% IR and strategic analysts in the PR war room. "We have to do something to alert our community. Let's send out an email. We can't the email server is offline. Our entire IT staff is gathering forensics and and the outside security firm won't let us do anything. OK someone set up a new email server and send it out..."

    ReplyDelete
  4. @Security Leaders Group: very good point.

    ReplyDelete