Access Management , Critical Infrastructure Security , Endpoint Security

Misconfigured FBI Email System Abused to Run Hoax Campaign

100,000 Emails From Legitimate FBI Domain Falsely Warned of Cyberattack
Misconfigured FBI Email System Abused to Run Hoax Campaign

The FBI says it has fixed a software misconfiguration that was abused to send hoax emails, from a legitimate FBI domain address, falsely warning of a cyberattack.

See Also: OnDemand | Password Management: Securing Hybrid Work for the Long Haul

As many as 100,000 hoax emails were sent in two waves early Saturday morning that purported to come from the FBI and the Department of Homeland Security, according to the spam watchdog group Spamhaus Project.

Spamhaus said while the emails were sent from infrastructure owned by the FBI and its parent agency, DHS, the emails were indeed fake. The emails originated from the address "eims@ic.fbi.gov."

The FBI says the misconfiguration involved the Law Enforcement Enterprise Portal, or LEEP, which allows state, local and federal agencies to share information, including sensitive documents. The portal also supports a Virtual Command Center, which allows law enforcement agencies to share real-time information about events such as shootings and child abductions.

Although the abused email server is operated by the FBI, the bureau issued an updated statement Sunday noting that the server is not part of the bureau's corporate email service, and that no classified systems or personally identifiable information was compromised.

"No actor was able to access or compromise any data or PII on the FBI's network," the FBI says. "Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks."

'Threat Actor in Systems'

The hacker-crafted note, a copy of which has been released by Spamhaus, warned that data had potentially been exfiltrated. The bogus emails attempted to pin the blame for the efforts on security researcher Vinny Troia, who is the founder of the darknet intelligence companies Night Lion and Shadowbyte.

Troia is a frequent target of opprobrium for his security research on hacking forums such as Raid, and regularly gets falsely accused of launching online attacks.

A threat actor who goes by the Twitter nickname Pompompurin has since claimed credit for the incident, computer security journalist Brian Krebs reports.

Rather than referring to the incident as a hack attack, calling it trickery would be more accurate, says information security expert Rob Graham, head of Georgia-based consultancy Errata Security.

The FBI server allowed people to register for LEEP and as part of that process would send a confirmation email, Graham says in a blog post. But rather than generating the confirmation email on the server, it was generated within the web page. Because that content gets pushed to an individual's browser, "it means hackers can modify the web page on their own computer to send different confirmation emails - ones that don't look like confirmations at all," Graham writes.

In this case, Graham says the attacker changed the "subject" and "textcontent" fields during the account creation process, leading the FBI server to use that content when sending the confirmation email. The attacker then used automation to have it read a file with 100,000 email addresses and dispatch confirmations to them all.

Many of those email addresses that received the fake messages appear to have been scraped from a public database belonging to the American Registry for Internet Numbers, Spamhaus says in a tweet. ARIN manages IP addresses and network allocations within North America and parts of the Caribbean.

Executive Editor Jeremy Kirk contributed to this report.


About the Author

Dan Gunderman

Dan Gunderman

News Desk Staff Writer

As staff writer on the news desk at Information Security Media Group, Gunderman covers governmental/geopolitical cybersecurity updates from across the globe. Previously, he was the editor of Cyber Security Hub, or CSHub.com, covering enterprise security news and strategy for CISOs, CIOs and top decision-makers. He also formerly was a reporter for the New York Daily News, where he covered breaking news, politics, technology and more. Gunderman has also written and edited for such news publications as NorthJersey.com, Patch.com and CheatSheet.com.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.