FBI mail server compromised to send false alerts


False security messages may have been sent from secure FBI servers. The powerful US intelligence agency has acknowledged the existence of a loophole while a hacker claimed responsibility. Back on this embarrassing affair for the famous agency, but not serious.

This is a case that the US domestic intelligence service would have done well. Over the weekend of November 13 and 14, several thousand people received an “urgent” email from the FBI. “Urgent: Actor threatening in the systems”, indicated in the subject line this message sent from the address [email protected], a legitimate e-mail address of the agency. This email purported to warn against a “Sophisticated chain (cyber) attack”, using exaggerated language elements. And its author to add: “We have identified the threat actor as Vinny Troia, who is said to be affiliated with the extortion gang TheDarkOverlord”.

This curious message landed in many mailboxes, arousing the curiosity of Spamhaus. This non-profit organization, specializing in the fight against spam and pishing, quickly alerted on social networks. She explains that these messages are false security alerts, even though they originate from an infrastructure owned by the FBI. In total, the Spamhaus Project told the BleepingComputer site that at least 100,000 mailboxes received these fake emails and that this is a very conservative estimate.

The fake email came from an FBI server. © Spamhaus

What happened ?

According to Spamhaus, the email and IP address do belong to the FBI and come from the Law Enforcement Enterprise Portal (LEEP). Presented as a secure platform, it allows the Federal Bureau of Investigation to interact with other law enforcement agencies. The agency was quick to respond and issued a press release to confirm that its service had been compromised. “The FBI is aware of a software misconfiguration that temporarily allowed an actor to take advantage of the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is the FBI’s IT infrastructure used to communicate with our state and local law enforcement partners ”, she specifies.

“Although the illegitimate email came from a server operated by the FBI, that server was dedicated to sending notifications for LEEP and was not part of the FBI corporate email service. No actor has been able to access or compromise any data or personal information on the FBI network ”, adds the agency. Rather than a hack, the FBI therefore confirms that the vulnerability was linked to “A bad configuration” in a website he manages. “As soon as we became aware of the incident, we quickly remedied the vulnerability of the software, we warned our partners to ignore fake emails and we confirmed the integrity of our networks”, adds the press release.

On the other hand, the FBI remains unclear on the origin of the attack and its motivations. The author of the message refers in particular to Vinny Troia, researcher in computer security and respected figure in the sector. A feud between the expert and the RaidForum hacker community could explain this attempt at discrediting. Far from the profile of a pirate, the latter also had fun with this affair on his Twitter account:

The attack could have done more damage

Journalist Brian Krebs tried to find out more by coming into contact with a certain “Pompompurin”. The latter claims to be at the origin of this attack and provides information on his motivations and the method used. He first confides that this “piracy” was intended to “Highlight a glaring vulnerability in the FBI system”. The perpetrator of the attack also confirms that he could have used the FBI server to steal information or set up a scam. “I could have used that 1000% to send more legitimate emails, to entice companies to transmit data, etc. “, he specifies. Regarding the method, he explains that he was able to send himself an e-mail from [email protected] by modifying the request sent to his browser and by modifying the text in the “Subject” and “Text content” fields of the message.

“In fact, when you asked for the confirmation code, it was generated on the client side, then sent via a POST request (…) This POST request includes the parameters of the subject and body of the email”, indicates Pompompurin. He adds that he used a disposable address for his test and that a simple script allowed to replace the subject and the content of the message. “Needless to say, it’s a horrible thing to see on any website”, says Pompompurin. “I have seen it several times before, but never on a government site, and even less on a site managed by the FBI”.

Leave A Reply

Your email address will not be published.