FBI system hacked to email 'urgent' warning about fake cyberattacks
The Federal Bureau of Investigation (FBI) email servers were hacked to distribute spam email impersonating FBI warnings that the recipients' network was breached and data was stolen.
The emails pretended to warn about a “sophisticated chain attack” from an advanced threat actor known, who they identify as Vinny Troia. Troia is the head of security research of the dark web intelligence companies NightLion and Shadowbyte.
The spam-tracking nonprofit SpamHaus noticed that tens of thousands of these messages were delivered in two waves early this morning. They believe this is just a small part of the campaign.
Legitimate address delivers fake content
Researchers at the Spamhaus Project, an international nonprofit that tracks spam and associated cyber threats (phishing, botnets, malware), observed two waves of this campaign, one at 5 AM (UTC) and a second one two hours later.
The messages came from a legitimate email address -
All emails came from FBI’s IP address 153.31.119.142 (mx-east-ic.fbi.gov), Spamhaus told us.
The message warns that a threat actors has been detected in the recipients' network and has stolen data from devices.
Spamhaus Project told us that the fake emails reached at least 100,000 mailboxes. The number is a very conservative estimate, though, as the researchers believe “the campaign was potentially much, much larger.”
In a tweet today, the nonprofit said that the recipients were scraped from the American Registry for Internet Numbers (ARIN) database.
While this looks like a prank, there is no doubt that the emails originate from FBI’s servers as the headers of the message show that it’s origin is verified by the DomainKeys Identified Mail (DKIM) mechanism.
The headers also show the following FBI internal servers that processed the emails:
- dap00025.str0.eims.cjis
- wvadc-dmz-pmo003-fbi.enet.cjis
- dap00040.str0.eims.cjis
The FBI confirmed that the content of the emails is fake and that they were working on solving the issue as their helpdesk is flooded with calls from worried administrators.
In a statement to us, the FBI said that they could not share more information due to being an ongoing situation.
As per the technical details obtained by investigative journalist Brian Krebs from the individual behind the campaign, the LEEP portal allowed anyone to apply for an account. The registration process required filling in contact information.
"A critical step in that process says applicants will receive an email confirmation from
Using a script, the actor could change the parameters with an email subject and body of their choice, and automated the sending of the messages.
Aimed to discredit security researcher
Whoever is behind this campaign was likely motivated to discredit Vinny Troia, the founder of dark web intelligence company Shadowbyte, who is named in the message as the threat actor responsible of the fake supply-chain attack.
Members of the RaidForums hacking community have a long standing feud with Troia, and commonly deface websites and perform minor hacks where they blame it on the security researcher.
Tweeting about this spam campaign, Vinny Troia hinted at someone known as “pompomourin,” as the likely author of the attack. Troia says the individual has been associated in the past with incidents aimed at damaging the security researcher’s reputation.
Speaking to us, Troia said that “my best guess is 'pompompurin' and his band of minions [are behind this incident].”
This assumption is further supported by the fact that 'pompompurin' contacted Troia a few hours before the spam email campaigns started to simply say “enjoy,” as a warning that something involving the researcher was about to happen.
Troia said that 'pompompurin' messages him every time they start an attack to discredit the researcher.
Update 11/13/21: Added statement from the FBI.
Update 11/14/21: Added a second statement from the FBI and some technical details about the incident.
Comments