LONDON (AP) — The loose-knit hacking movement "Anonymous"
claimed Sunday to have stolen thousands of credit card numbers and
other personal information belonging to clients of U.S.-based security
think tank Stratfor. One hacker said the goal was to pilfer funds from
individuals’ accounts to give away as Christmas donations, and some
victims confirmed unauthorized transactions linked to their credit
cards.
Anonymous boasted of stealing Stratfor’s confidential
client list, which includes entities ranging from Apple Inc. to the U.S.
Air Force to the Miami Police Department, and mining it for more than
4,000 credit card numbers, passwords and home addresses.
Austin,
Texas-based Stratfor provides political, economic and military analysis
to help clients reduce risk, according to a description on its YouTube
page. It charges subscribers for its reports and analysis, delivered
through the web, emails and videos. The company’s main website was down,
with a banner saying the "site is currently undergoing maintenance."
Proprietary
information about the companies and government agencies that subscribe
to Stratfor’s newsletters did not appear to be at any significant risk,
however, with the main threat posed to individual employees who had
subscribed.
"Not so private and secret anymore?" Anonymous taunted
in a message on Twitter, promising that the attack on Stratfor was just
the beginning of a Christmas-inspired assault on a long list of
targets.
Anonymous said the client list it had already posted was a
small slice of the 200 gigabytes worth of plunder it stole from
Stratfor and promised more leaks. It said it was able to get the credit
card details in part because Stratfor didn’t bother encrypting them — an
easy-to-avoid blunder which, if true, would be a major embarrassment
for any security-related company.
Fred Burton, Stratfor’s vice
president of intelligence, said the company had reported the intrusion
to law enforcement and was working with them on the investigation.
Stratfor has protections in place meant to prevent such attacks, he said.
"But
I think the hackers live in this kind of world where once they fixate
on you or try to attack you it’s extraordinarily difficult to defend
against," Burton said.
Hours after publishing what it claimed was
Stratfor’s client list, Anonymous tweeted a link to encrypted files
online with names, phone numbers, emails, addresses and credit card
account details.
"Not as many as you expected? Worry not, fellow
pirates and robin hoods. These are just the ‘A’s," read a message posted
online that encouraged readers to download a file of the hacked
information.
The attack is "just another in a massive string of
breaches we’ve seen this year and in years past," said Josh Shaul, chief
technology officer of Application Security Inc., a New York-based
provider of database security software.
Still, companies that
shared secret information with Stratfor in order to obtain threat
assessments might worry that the information is among the 200 gigabytes
of data that Anonymous claims to have stolen, he said.
"If an
attacker is walking away with that much email, there might be some very
juicy bits of information that they have," Shaul said.
Lt. Col.
John Dorrian, public affairs officer for the Air Force, said that "for
obvious reasons" the Air Force doesn’t discuss specific vulnerabilities,
threats or responses to them.
"The Air Force will continue to
monitor the situation and, as always, take appropriate action as
necessary to protect Air Force networks and information," he said in an
email.
Miami Police Department spokesman Sgt. Freddie Cruz Jr.
said that he could not confirm that the agency was a client of Stratfor,
and he said he had not received any information about a security breach
involving the police department.
Anonymous also linked to images
online that it suggested were receipts for charitable donations made by
the group manipulating the credit card data it stole.
"Thank you!
Defense Intelligence Agency," read the text above one image that
appeared to show a transaction summary indicating that an agency
employee’s information was used to donate $250 to a non-profit.
One receipt — to the American Red Cross — had Allen Barr’s name on it.
Barr,
of Austin, Texas, recently retired from the Texas Department of Banking
and said he discovered last Friday that a total of $700 had been spent
from his account. Barr, who has spent more than a decade dealing with
cybercrime at banks, said five transactions were made in total.
"It
was all charities, the Red Cross, CARE, Save the Children. So when the
credit card company called my wife she wasn’t sure whether I was just
donating," said Barr, who wasn’t aware until a reporter with the AP
called that his information had been compromised when Stratfor’s
computers were hacked.
"It made me feel terrible. It made my wife feel terrible. We had to close the account."
Wishing
everyone a "Merry LulzXMas" — a nod to its spinoff hacking group Lulz
Security — Anonymous also posted a link on Twitter to a site containing
the email, phone number and credit number of a U.S. Homeland Security
employee.
The employee, Cody Sultenfuss, said he had no warning before his details were posted.
"They
took money I did not have," he told The Associated Press in a series of
emails, which did not specify the amount taken. "I think ‘Why me?’ I am
not rich."
But the breach doesn’t necessarily pose a risk to
owners of the credit cards. A card user who suspects fraudulent activity
on his or her card can contact the credit card company to dispute the
charge.
Stratfor said in an email to members, signed by Stratfor
Chief Executive George Friedman and passed on to AP by subscribers, that
it had hired a "leading identity theft protection and monitoring
service" on behalf of the Stratfor members affected by the attack. The
company said it will send another email on services for affected members
by Wednesday.
Stratfor acknowledged that an "unauthorized party"
had revealed personal information and credit card data of some of its
members.
The company had sent another email to subscribers earlier
in the day saying it had suspended its servers and email after learning
that its website had been hacked.
One member of the hacking
group, who uses the handle AnonymousAbu on Twitter, claimed that more
than 90,000 credit cards from law enforcement, the intelligence
community and journalists — "corporate/exec accounts of people like Fox"
News — had been hacked and used to "steal a million dollars" and make
donations.
It was impossible to verify where credit card details
were used. Fox News was not on the excerpted list of Stratfor members
posted online, but other media organizations including MSNBC and
Al-Jazeera English appeared in the file.
Anonymous warned it has "enough targets lined up to extend the fun fun fun of LulzXmas through the
entire next week."
The
group has previously claimed responsibility for attacks on credit card
companies Visa Inc. and MasterCard Inc., eBay Inc.’s PayPal, as well as
other groups in the music industry and the Church of Scientology.
____________
Plushnick-Masti
reported from Houston. Associated Press writers Jennifer Kay in Miami
and Daniel Wagner in Washington, D.C. also contributed to this report.
_____________
Cassandra Vinograd can be reached at http://twitter.com/CassVinograd
Copyright 2011 The Associated Press.
