Misconfigured FBI Email System Abused to Run Hoax Campaign100,000 Emails From Legitimate FBI Domain Falsely Warned of Cyberattack
The FBI says it has fixed a software misconfiguration that was abused to send hoax emails, from a legitimate FBI domain address, falsely warning of a cyberattack.
As many as 100,000 hoax emails were sent in two waves early Saturday morning that purported to come from the FBI and the Department of Homeland Security, according to the spam watchdog group Spamhaus Project.
Spamhaus said while the emails were sent from infrastructure owned by the FBI and its parent agency, DHS, the emails were indeed fake. The emails originated from the address "email@example.com."
The FBI says the misconfiguration involved the Law Enforcement Enterprise Portal, or LEEP, which allows state, local and federal agencies to share information, including sensitive documents. The portal also supports a Virtual Command Center, which allows law enforcement agencies to share real-time information about events such as shootings and child abductions.
Although the abused email server is operated by the FBI, the bureau issued an updated statement Sunday noting that the server is not part of the bureau's corporate email service, and that no classified systems or personally identifiable information was compromised.
"No actor was able to access or compromise any data or PII on the FBI's network," the FBI says. "Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks."
'Threat Actor in Systems'
The hacker-crafted note, a copy of which has been released by Spamhaus, warned that data had potentially been exfiltrated. The bogus emails attempted to pin the blame for the efforts on security researcher Vinny Troia, who is the founder of the darknet intelligence companies Night Lion and Shadowbyte.
Troia is a frequent target of opprobrium for his security research on hacking forums such as Raid, and regularly gets falsely accused of launching online attacks.
These emails look like this:
Sending IP: 220.127.116.11 (https://t.co/En06mMbR88)
Subject: Urgent: Threat actor in systems pic.twitter.com/NuojpnWNLh— Spamhaus (@spamhaus) November 13, 2021
The FBI server allowed people to register for LEEP and as part of that process would send a confirmation email, Graham says in a blog post. But rather than generating the confirmation email on the server, it was generated within the web page. Because that content gets pushed to an individual's browser, "it means hackers can modify the web page on their own computer to send different confirmation emails - ones that don't look like confirmations at all," Graham writes.
In this case, Graham says the attacker changed the "subject" and "textcontent" fields during the account creation process, leading the FBI server to use that content when sending the confirmation email. The attacker then used automation to have it read a file with 100,000 email addresses and dispatch confirmations to them all.
Many of those email addresses that received the fake messages appear to have been scraped from a public database belonging to the American Registry for Internet Numbers, Spamhaus says in a tweet. ARIN manages IP addresses and network allocations within North America and parts of the Caribbean.
Executive Editor Jeremy Kirk contributed to this report.