System administrators were recently awakened by terrifying emails from an email address associated with the FBI claiming that a threat actor has compromised their systems. It turns out the emails were fake, however, and seem to have been enabled by a flaw in an FBI website.
A threat intelligence firm called Spamhaus revealed the fake emails just after 4 a.m. on Nov. 13. The messages themselves weren’t particularly believable, but the email headers indicated they were indeed sent from the FBI, which made figuring out how to respond to them more difficult.
The FBI acknowledged the problem on Nov. 13 but didn’t offer additional details about what happened. Then it released an updated statement about the issue on Nov. 14:
The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners. While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.
Brian Krebs of KrebsOnSecurity reports that someone calling themselves “Pompompurin” sent the fake emails to reveal a flaw in LEEP’s sign-up process. The site reportedly used one-time passwords to confirm that new users could receive emails at the address they entered, but those passwords were revealed in the web page’s HTML file, thereby allowing people to bypass this verification process and create accounts associated with any email address they wished.
“I could’ve 1000% used this to send more legit looking emails, trick companies into handing over data etc.,” Pompompurin reportedly told Krebs. “And this would’ve never been found by anyone who would responsibly disclose, due to the notice the feds have on their website.”
Pompompurin also used the opportunity to defame Vinny Troia, a cybersecurity researcher, by identifying him as the threat actor in the hoax emails. Troia predicted Pompompurin was behind the spam on Nov. 13, and the two have been engaged in a back-and-forth on Twitter since.
The hoax emails might have been meant to draw attention to the flaw in LEEP, then, but it also served the double purpose of spreading misinformation about Troia via the FBI’s email infrastructure. Sysadmins concerned about their own networks were merely caught in the middle.