Social engineers have been sending malicious and fraudulent emails to Strafor subscribers since their customer database was breached and subsequently published on Pastebin.
The latest attempt involves a cautionary email containing a PDF file purporting to come from Stratfor administrators. The email informs readers about a recent data breach and, ironically, warns them about the dangers of opening suspicious emails and attachments from “doubtful” sources. Readers are encouraged to follow a link in the email and download an AV scanner that will check their computer for some fictional virus.
No person clicking that link will receive an AV Scanner of any kind. Instead, they get a warning from Adobe Reader asking if they trust the website, then, if they decide they do trust the site, they download a Win32/Zbot variant.
Micrsoft detects both the Zbot variant and the PDF itself.
TechNet claims that the link in the email appeared legitimate until they examined the target address. The email lists the address of Strafor in Austin, Texas. However, the target address does not originate in Stratfor’s home of Texas at all, but rather, the URL appears to be located somewhere in Turkey.