Hoax Email Blast abused bad coding on FBI website – Krebs on Security

The Federal Bureau of Investigation (FBI) today confirmed that its fbi.gov domain name and Internet address were used to detonate thousands of fake emails regarding a cybercrime investigation. According to an interview with the person who claimed responsibility for the hoax, the spam messages were sent by misusing an insecure code into an FBI online portal designed to share information with state and local law enforcement authorities. law enforcement.

The fake message sent Thursday night through the FBI messaging system. Image: Spamhaus.org

Late in the evening of November 12 ET, tens of thousands of emails started to flood the address of the FBI [email protected], warning against bogus cyber attacks. Around this time, KrebsOnSecurity received a message from the same email address.

“Hi it’s pompompurine», We read in the missive. “Check the headers of this email, it’s actually from the FBI server.” I am contacting you today as we have located a botnet hosted on your front, please take immediate action thank you.

A review of the message headers of the email indicated that it had indeed been sent by the FBI, and from the agency’s own Internet address. The domain in the “from:” part of the email I received – [email protected] – matches that of the FBI Criminal justice information services division (CJIS).

According to Department of Justice, “CJIS manages and operates several national crime information systems used by the public safety community for criminal and civil purposes. CJIS systems are available to the criminal justice community, including law enforcement, prisons, prosecutors, courts, as well as probation and pre-trial services.

In response to a request for comment, the FBI confirmed the unauthorized messages, but declined to provide further information.

“The FBI and the CISA [the Cybersecurity and Infrastructure Security Agency] are aware of this morning’s incident involving fake emails from an @ ic.fbi.gov email account, ”the FBI statement read. “This is an ongoing situation and we are unable to provide additional information at this time. The affected hardware was taken offline quickly upon discovery of the problem. We continue to encourage the public to be wary of unknown senders and urge you to report any suspicious activity to www.ic3.gov or www.cisa.gov.

In an interview with KrebsOnSecurity, Pompompurin said the hack was done to highlight a glaring vulnerability in the FBI system.

“I could have used this 1000% to send more legitimate emails, to entice businesses to forward data, etc.,” Pompompurin said. “And it would never have been found by anyone responsible for disclosing, due to the notice the federal government posted on its website.”

Pompompurin says illicit access to the FBI’s messaging system began with an exploration of his Law Enforcement Company Portal (LEEP), which the office describes as “a gateway for law enforcement agencies, intelligence groups and criminal justice entities to access useful resources.”

The FBI Law Enforcement Enterprise Portal (LEEP).

“These resources will enhance case development for investigators, improve information sharing between agencies, and be accessible in a centralized location!” Enthuses the FBI site.

Until this morning, the LEEP portal allowed anyone to apply for an account. Useful, step-by-step instructions for registering a new account on the LEEP portal as well are available on the DOJ website. [It should be noted that “Step 1” in those instructions is to visit the site in Microsoft’s Internet Explorer, an outdated web browser that even Microsoft no longer encourages people to use for security reasons.]

A large part of this process involves filling out forms with the applicant’s personal and contact information, as well as that of their organization. A critical step in this process is that applicants will receive an email confirmation from [email protected] with a one-time passcode – apparently to validate that the candidate can receive emails on the domain. in question.

But according to Pompompurin, the FBI’s own website leaked this one-time passcode in the HTML code of the webpage.

A screenshot shared by Pompompurin. Image: KrebOnSecurity.com

Pompompurin stated that they were able to email each other from [email protected] by modifying the request sent to their browser and modifying the text in the “Subject” and “Text Content” fields of the message.

A test email using the FBI’s communications system that Pompompurin said it sent to a disposable address.

“Basically when you asked for the confirmation code [it] was generated on the client side and then sent to you via a POST request, ”Pompompurin said. “This post request includes the subject and body parameters of the message.”

Pompompurin said that a simple script overrides these settings with its own subject and body, and automates sending the hoax message to thousands of email addresses.

A screenshot shared by Pompompurin, which says it shows how he could have abused the FBI’s messaging system to send a hoax message.

“Needless to say, it’s a horrible thing to see on any website,” Pompompurin said. “I’ve seen it several times before, but never on a government website, let alone a site operated by the FBI.

As we can see from the first screenshot at the top of this story, Pompompurin’s hoax post is an attempt to smear the name of Vinny Troia, the founder of the dark web intelligence companies NightLion and Shadowbyte.

“Members of the RaidForums hacking community have a long-standing feud with Troia, and typically degrade websites and perform minor hacks where they blame the security researcher” Ionut Illascu wrote for BipComputer. “Tweet about this spam campaign, Vinny Troia to have a reference to to someone known as’pompompurine, ‘as the likely perpetrator of the attack. Troia says the individual has been associated in the past with incidents aimed at damaging the security researcher’s reputation.

Troia’s work as a security researcher was the subject of a 2018 article here titled “When security researchers pose as cyber crooks, who can tell the difference?” Without a doubt, this hoax was another effort to blur that distinction.

Update, November 14, 11:31 a.m.ET: The FBI released an updated statement:

“The FBI is aware of a software misconfiguration that temporarily allowed an actor to exploit the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is the FBI’s IT infrastructure used to communicate with our national and local law enforcement partners. While the illegitimate e-mail originated from a server operated by the FBI, that server was dedicated to serving notifications for LEEP and was not part of the FBI’s corporate e-mail service. No actor has been able to access or compromise any data or personal information on the FBI network. Once we learned of the incident, we promptly fixed the vulnerability in the software, warned our partners to ignore fake emails, and confirmed the integrity of our networks.

Comments are closed.