Fake emails exploited FBI email service to warn of phony cyberattacks

The FBI is usually a key source that tries to help people combat cyberattacks and security threats. But in an unusual twist, the law enforcement agency has found itself the victim of an exploit.

SEE: Security incident response policy (TechRepublic Premium)

On Saturday, spam tracker Spamhaus tweeted that it had learned of “scary” emails being sent purportedly from the FBI and Department of Homeland Security (DHS). One such email warned the recipient that they were hit by a sophisticated chain attack, potentially causing severe damage to their infrastructure. Though the emails were sent from a portal owned by the FBI and DHS, Spamhaus said that the messages themselves were fake.

Based on an investigation by Spamhaus, the phony warning emails were sent to addresses taken from the database of the American Registry for Internet Numbers (ARIN), a nonprofit organization that manages IP addresses and resources. Spamhaus said that the emails were causing a lot of disruption because the message headers were real, meaning they came from the FBI’s own infrastructure, though they had no names or contact details.

In its own message released on Saturday, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) said they were aware of the incident with fake emails sent from an ic.fbi.gov email address and reported that the affected hardware had been taken offline.

In a follow-up message sent out on Sunday, the agency said that a software misconfiguration temporarily let someone access the Law Enforcement Enterprise Portal (LEEP) to send phony emails. The FBI uses the LEEP site to communicate with state and local law enforcement officials.

“While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service,” the agency said. “No actor was able to access or compromise any data or PII [personally identifiable information] on the FBI’s network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”

Often, the identity of the actual culprit behind this type of attack remains a mystery. But in this case, the hacker seemed all too happy to reveal themselves. In an email sent to KrebsOnSecurity author Brian Krebs, a hacker named pompompurin took responsibility for the incident.

In an interview with KrebsOnSecurity, pompompurin said that the hack was done to highlight a glaring vulnerability in the FBI’s system. This person told Krebs that their illicit access to the FBI’s email system started with an exploration of LEEP. Before this incident, LEEP would let anyone apply for an account to communicate with the FBI. As part of the registration process, the LEEP site sends out an email confirmation with a one-time passcode.

Pompompurin said that the FBI’s own site leaked that passcode in its HTML code. Armed with that passcode, the hacker said that they sent themselves an email from a specific FBI address. From there, they used a script to replace the initial email with a different subject line and message and then sent an automated hoax message to thousands of addresses derived from the ARIN database.

“I could’ve 1000% used this to send more legit looking emails, trick companies into handing over data etc.,” pompompurin told Krebs. “And this would’ve never been found by anyone who would responsibly disclose, due to the notice the feds have on their website.”

SEE: Hackers are getting better at their jobs, but people are getting better at prevention (TechRepublic)

The sample email posted by Spamhaus on Twitter not only tried to strike fear among its recipients but also attempted to discredit an individual named Vinny Troia, a cybersecurity expert and founder of darkweb intelligence firm Shadowbyte.

“Responsibility for the attack has allegedly been claimed by a black hat hacker known on Twitter under handle, @pompompur_in, who is a known associate of the ShinyHunters hacker group,” said Chris Morgan, senior cyber threat intelligence analyst at security firm Digital Shadows. “Pompompurin is highly active on cybercriminal forum RaidForums, where the user has continually targeted security researcher Vinny Troia since early 2021.”

Why compromise an FBI service other than to make the agency look foolish?

“There were several likely motivations: highlighting a security vulnerability, pranking Vinny Troia by falsely attributing them in the fake email, and taking an opportunity to troll the FBI’s security,” Morgan said. “Many companies would have been rushed into incident response during the early periods of Monday morning, so it appears the actor responsible for the emails will have achieved their goal of creating mischief.”

This attack shows that even emails sent from legitimate sources aren’t necessarily to be trusted.

“The latest security incident resulting from fake emails being sent from the Law Enforcement Enterprise Portal (LEEP) is a reminder that cybercriminals will look for techniques to deliver malicious content under the disguise of legitimate services,” said Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify. “This time, coming from a legitimate FBI email address. It’s always important to verify everything, even if it is coming from a legitimate source.  Remember, Zero Trust is also about having Zero Assumptions.”

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see