Malicious actors were able to access FBI servers to send fake emails from its infrastructure due to a coding oversight, the US agency has admitted.
Late last week, tens of thousands of emails were sent from FBI addresses warning recipients of impending cyber-attacks.
Among the targets was investigative reporter Brian Krebs, who noted that the email’s message headers “indicated it had indeed been sent by the FBI, and from the agency’s own internet address”.
Vulnerability
According to Krebs, he was contacted by an individual named as ‘Pompompurin’, who claimed responsibility for the incident and said they took advantage of a vulnerability in the FBI’s own systems to carry it out.
“I could’ve 1000% used this to send more legit looking emails, trick companies into handing over data etc,” Pompompurin said, according to Krebs.
“And this would’ve never been found by anyone who would responsibly disclose, due to the notice the feds have on their website.”
Leaked OTP
The vulnerability was in the Law Enforcement Enterprise Portal (LEEP), a federal gateway allowing agencies access to shared resources. According to Pompompurin, the oversight leaked a one-time passcode.
“Basically, when you requested the confirmation code [it] was generated client-side, then sent to you via a POST Request,” Pompompurin told Krebs. “This post request includes the parameters for the email subject and body content.”
A script then replaced those parameters with his own message subject and body, automated the sending of the hoax message to thousands of email addresses.
A statement from the FBI released yesterday (November 14) confirmed that the emails were sent from a legitimate server.
It reads: “While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service.
“No actor was able to access or compromise any data or PII on the FBI’s network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”
Further questions
Security research team Spamhaus, which has been tracking the campaign, posted a screenshot of one of the emails on Twitter.
Spamhaus noted that emails claim the perpetrator is named ‘Vinny Troia’ – the same name as a US author who has published books about cybercrime – and is associated with cybercrime gang ‘Dark Overlord’.
Troia himself has refuted his involvement, and has claimed on his Twitter account that he will “expose the identity of the FBI hacker” in an upcoming blog.
