IASI, ROMANIA (01/09/2012) – Emails in which security consultancy Stratfor appears to invite customers to rate its response to a recent security breach are not actually from its CEO, the company said.
Last month, Stratfor offered identity protection to its customers following the theft of their email addresses, payment details and other information from its website. Now some of those customers are being targeted by a phishing campaign purporting to be from the company’s founder and CEO George Friedman.
“There is a fraudulent email that appears to come from George.Friedman[at]Stratfor.com. I want to assure everyone that this is not my email address and that any communication from this address is not from me,” Friedman wrote on the company’s Facebook page on Friday. “Stratfor would never ask customers and friends to provide personal information through the type of attachment that was part of the email,” he continued.
Members of the hacktivist collective Anonymous claimed responsibility for breaching the security on Stratfor’s website in December. The hackers stole tens of gigabytes of confidential information, including customer details, credit card numbers, usernames, MD5 password hashes and email addresses.
The Stratfor website has been offline ever since the breach was discovered, and visitors are greeted by a temporary page informing them about the downtime. In the absence of its official hub of online communication, the company has relied on Facebook and Twitter to inform its customers.
The emails Friedman speaks about in his Facebook announcement were received last week by some of the Stratfor customers whose contact information was exposed during the breach.
Security experts from antivirus software vendor Sophos who analyzed the emails said the fraudulent messages instruct recipients to rate Statfor’s incident response by clicking on a link. The link leads to a YouTube video of Rick Astley’s song Never Gonna Give You Up, this being a rather harmless trick known on the Internet as Rickrolling.
“Being Rickrolled is often funny,” wrote Chester Wisniewski, a senior security advisor at Sophos, but “It could have been a much more dangerous phishing attack.”
Phishing for personal information is a common practice for attackers who steal customer email databases from companies. During such data breaches, hackers obtain the email addresses and names of people who do business with the company they targeted. This information is usually enough to craft a believable phishing email.
In fact, the Rickroll email sent in Friedman’s name instructs recipients to fill out a form. “We would like to hear from our loyal client base as to our handling of the recent intrusion by those deranged, sexually deviant criminal hacker terrorist masterminds. Please fill out the following form and return it to me,” the rogue email reads.
While the phrasing of this message should look suspicious to any recipient, the likelihood of a large company’s CEO using such terminology in an official email being low, the message is nevertheless similar, at least conceptually, to that of a phishing email.