Interesting spear phising attempt against IT

["Basgen, Brian" <bbasgen () PIMA EDU>]

 Today we received an email from someone who graciously informed us that
some of our student web pages had been hacked. Of course, this happens
on occasion for the usual reasons (php, brute force, etc). In this case,
the webpages were converted into online Canadian pharmacies, and any
transaction would simply redirect to another domain name.

 The interesting thing is the fellow who told us about the hack. His
email included links to the hacked web pages. It was an html email, and
the embedded html had a few hidden links -- but many of them didn't make
sense (case.edu and google searches against berkley.edu and
hollywood.com). 

 The most interesting thing is the domain name the email came from:
tudorburden.com, which turns out to be registered to a "Tudor Burden"
living in Canada. Apparently, he has lost quite a few lawsuits regarding
fraudulent domain names:
        
http://www.wipo.int/amc/en/domains/decisions/html/2005/d2005-0313.html

 Has anyone heard of fraudsters hacking a web page and then informing
you about the hack? We are diving into logs to try to discern what his
greater goal is: we've been looking for trojans and/or spyware but
haven't found any yet. It is a bit strange, so I'm wondering if anyone
has had experience with this kind of thing in the past? 

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College