Cyber criminals have compromised the FBI’s email system, sending hundreds of thousands of people spam messages warning of a cyber attack.
The criminal’s motives were initially unclear, with the FBI confirming that no personal data was exposed except for the recipients’ email addresses.
Similarly, the emails didn’t contain malicious attachments or links, which suggests that the emails weren’t sent as part of a cyber attack.
The true nature of the email was later revealed by the attacker to the cyber security researcher Brian Krebs.
The individual, who goes by the name Pompompurin, said the emails were intended to highlight a vulnerability in the FBI website.
“I could’ve 1000% used this to send more legit looking emails, trick companies into handing over data etc.,” Pompompurin said.
“And this would’ve never been found by anyone who would responsibly disclose, due to the notice the feds have on their website.”
What did the email say?
A copy of the message was posted on Twitter by the Spamhaus Project, an international watchdog that tracks cyberthreats.
These fake warning emails are apparently being sent to addresses scraped from ARIN database. They are causing a lot of disruption because the headers are real, they really are coming from FBI infrastructure. They have no name or contact information in the .sig. Please beware!— Spamhaus (@spamhaus) November 13, 2021
The email purports to be from the US Department of Homeland Security Cyber Threat Detection and Analysis Group, which no longer exists. The subject line reads: “Urgent: Threat actor in systems”, and the message itself is littered with technical jargon.
The message itself is largely incoherent warning of an ongoing cyber attack, and refers to the criminal group The Dark Overlord.
It also claims that the “threat actor” is the cyber security researcher and author Vinny Troia.
This isn’t the first time this has happened. Members of the RaidForums hacking community have an ongoing feud with Troia, and are known to deface websites and blame it on him.
It’s why Troia doesn’t accept that this message is simply intended to highlight a website vulnerability. He says he is the victim of a smear attack, telling the Washington Post:
“These are very childish actions intended to discredit me for putting out a report which exposed his identity and involvement in several other hacking groups,” he said.
He adds: “He is becoming bolder and much more blatant with his attacks.”
What information was exposed?
After analysing the emails’ metadata, Spaumhaus wrote on Twitter that the attacker was “causing a lot of disruption because the headers are real, they really are coming from FBI infrastructure”.
However, the FBI confirmed that the emails didn’t come from its corporate email service but from the LEEP (Law Enforcement Enterprise Portal) system, which is used to communicate with state and local officials.
Pompompurin said the attack was possible due to a coding error on the LEEP website, which enabled the attacker to exploit a weakness in the way one-time passwords are delivered, with the emails instead sending hoax messages.
Coding errors like these are surprisingly common. This incident is only exceptional because it occurred on a government website – and the FBI is lucky that Pompompurin chose a relatively benign attack method.
Other organisations may not be so lucky, which is why it’s paramount to have a secure development policy to monitor and review user-facing code.
The requirements for creating a secure development policy are outlined in Annex A.14 of ISO 27001.
By following its guidelines, you can ensure that coders follow best practices, that mistakes are picked up on and that your organisation has the necessary technical safeguards.
You can find out more with our ISO 27001 Toolkit, which contains a secure development policy template.