The FBI is reportedly investigating a cyber incident involving an internal server after thousands of fake emails were sent out from the server, warning recipients about a major cyber attack to be carried out by hacker group the Dark Overlord.
The fake emails, that warned recipients about an impending cyber attack from a foreign hacker group, were worded to give recipients the impression that they were sent out by the US Department of Homeland Security. The fact that the fake emails were generated from @ic.fbi.gov email account gave recipients no reason to believe they were fake.
AFter the news went public, the FBI quickly released a statement, saying it was investigating the incident and that the affected email server was taken offline as soon as the issue was discovered. The agency also asked recipients of fake emails to report issues to the CISA or IC3.
“The FBI and CISA are aware of the incident this morning involving fake emails from an @ic.fbi.gov email account. This is an ongoing situation, and we are not able to provide any additional information at this time.
“The impacted hardware was taken offline quickly upon discovery of the issue. We continue to encourage the public to be cautious of unknown senders and urge you to report suspicious activity to ic3.gov or cisa.gov,” it said. According to the BBC, more than 100,000 emails were sent out from the FBI’s email account and contained the header, “Urgent: threat actor in systems.”
According to security researcher Brian Krebs, who was also a recipient of a fake email from the FBI address email@example.com, the domain in the “from” portion of the email corresponded to the FBI’s Criminal Justice Information Services division (CJIS). This made it clear that it was not a phishing email and that the emails were generated from the fbi.gov domain.
Krebs got in touch with an individual calling themselves Pompompurin who claimed to have carried out the hack “to point out a glaring vulnerability in the FBI’s system.”
“I could’ve 1000% used this to send more legit-looking emails, trick companies into handing over data, etc. And this would’ve never been found by anyone who would responsibly disclose, due to the notice the feds have on their website,” Pompompurin said.
Pompompurin said he gained access to the FBI’s email system by creating an account on the FBI’s Law Enforcement Enterprise Portal (LEEP) which serves as “a gateway providing law enforcement agencies, intelligence groups, and criminal justice entities access to beneficial resources.”
The LEEP portal offers step-by-step instructions to help anyone register a new account on the portal. The setup process includes a step where an email is sent from firstname.lastname@example.org with a one-time passcode to the account holder’s email address to validate their email.
However, according to Pompompurin, the FBI’s own website leaked that one-time passcode in the HTML code of the web page. Anyone could edit the request sent to their browser and change the text in the message’s “Subject” field and “Text Content” fields. Pompompurin used a simple script to insert his own message subject and body in the code and automate the sending of fake emails to thousands of people.
“Needless to say, this is a horrible thing to be seen on any website. I’ve seen it a few times before, but never on a government website, let alone one managed by the FBI,” the hacker told Krebs.