FBI Email—‘Threat Actor in Systems’—is Spam - Security Boulevard

FBI Email—‘Threat Actor in Systems’—is Spam

Mountains of email spam, from a legit FBI address, were sent to victims by a pseudonymous hacker. The sender, who calls himself Pompompurin, caused much consternation and grief.

The perp’s aim seems to be to discredit security researcher and part-time DJ “Dr.” Vinny Troia (pictured). And also to point out the laughably poor engineering of the bureau’s Law Enforcement Enterprise Portal (LEEP)—this could have been so much worse.

There are lessons to be learned. In today’s SB Blogwatch, we teach them.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: TIL “dating sims” are a thing.

LEEP L337 Lies

What’s the craic? Ionut Ilascu reports—“FBI system hacked to email ‘urgent’ warning”:

Helpdesk is flooded with calls
The emails pretended to warn about a “sophisticated chain attack” from an advanced threat actor, who they identify as Vinny Troia. Troia is the head of security research of the dark web intelligence companies NightLion and Shadowbyte

Researchers at the Spamhaus Project, an international nonprofit that tracks spam and associated cyber threats [said] the fake emails reached at least 100,000 mailboxes. … They believe this is just a small part of the campaign.

The messages came from a legitimate email address – [email protected] [and] came from FBI’s IP address 153.31.119.142. … Its origin is verified by the DomainKeys Identified Mail (DKIM) mechanism. … The FBI confirmed that the content of the emails is fake and that … their helpdesk is flooded with calls from worried administrators.

And Brian Krebs cycles deeper—“Hoax Email Blast Abused Poor Coding”:

FBI’s own website leaked
Pompompurin … the person who claimed responsibility for the hoax, [says] the spam messages were sent by abusing insecure code in an FBI online portal. … The LEEP portal allowed anyone to apply for an account. … A critical step in that process says applicants will receive an email confirmation from [email protected] with a one-time passcode [but] the FBI’s own website leaked that one-time passcode in the HTML code of the web page.

Pompompurin said they were able to send themselves an email from [email protected] by editing the request sent to their browser and changing the text in the message’s “Subject” field and “Text Content” fields. … A simple script replaced those parameters with his own message subject and body, and automated the sending of the hoax.

LEEP? Simon Sharwood says—“We want to believe”:

Secure environment
The server in question was part of LEEP, which the FBI describes as “a secure platform for law enforcement agencies, intelligence groups, and criminal justice entities [that] provides web-based investigative tools and analytical resources” for other law enforcement agencies. “Users collaborate in a secure environment.”

Or at least that’s what they do when they’re not trying to figure out what “exfiltration of several of your virtualized clusters in a sophisticated chain attack” means. But we digress.

What does the Bureau have to say for itself? Shadowy PR gnomes emit this“FBI Statement on Incident”:

Be cautious of unknown senders
The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage … LEEP to send fake emails. … While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service.

No actor was able to access or compromise any data or PII on the FBI’s network. … The impacted hardware was taken offline quickly upon discovery of the issue. We continue to encourage the public to be cautious of unknown senders and urge you to report suspicious activity to ic3.gov or cisa.gov.

SRSLY? “Be cautious of unknown senders”? That’s the entire point—the sender isn’t unknown! xhkkffbf sounds ready to give up:

If I were to get an email from “fbi.gov”, I would assume it belongs in the same pile as the great offers from that Nigerian prince. Even if I look at the headers, I wouldn’t be convinced.

Perhaps we should try harder to create a public key infrastructure for email.

Who is responsible for that (ahem) “misconfiguration”? Retired ICS wants them to get off their lawn:

So it would appear that the FBI uses the same kiddies to generate the same old standard pile of highly-vulnerable-to-misuse **** as everyone else. In general this is a wattage problem. It only stands to reason that the FBI would be subjected to the same wattage problem as everyone else since they get their light-bulbs at the same store.

But poor old Vinny. Sympathy is not an emotion seconded by u/Fr0gm4n:

Troia is a self aggrandizing, self important, “security consultant” whose public image is media personality first, actual security professional second. His website was hacked a few years go serving up spam redirects and I still laugh whenever his name comes up.

But what of the trolling hacker? Here’s Chris Holland:

Pompouspurin has just poked a stick into a massive nest of angry hornets. He’s going to get badly stung for what was a pointless zero revenue activity.

Meanwhile, Isaac—@eyestray—has some positive affirmations for the FBI:

Good example of: …
1) It will happen to everyone, and
2) manage your scope so that when it does, the impact is minimized.

Do not feel bad when you say, “It could have been worse.” Instead, know that you did your job.

And Finally:

Come back ELIZA—all is forgiven

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Vinny Troia

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 303 posts and counting.See all posts by richi