Mountains of email spam, originating from a legitimate FBI address, were sent to victims by a pseudonymous hacker. The sender, who calls himself Pompompurin, has caused much consternation and grief.

The aim of criminals seems to be to discredit part-time security researcher and DJ Dr. Vinny Troia (photo). And also to point out the ridiculously poor engineering of the Law Enforcement Enterprise Portal (LEEP) offices, it could have been a lot worse.

LEEP L337 Lies

What is the craic? Ionut Ilascu ReportsFBI system hacked to send “urgent” warning email:

Helpdesk is inundated with calls

The emails purported to warn of a sophisticated chain attack from an advanced threat actor, whom they identify as Vinny Troia. Troia is the Head of Security Research for Dark Web Intelligence Firms NightLion and Shadowbyte

Researchers from the Spamhaus Project, an international nonprofit organization that tracks spam and associated cyber threats [said] the fake e-mails reached at least 100,000 mailboxes. They think it’s just a small part of the countryside.

The messages were from a legitimate email address – [email protected] [and] came from the IP address 153.31.119.142. Its origin is verified by the DomainKeys Identified Mail (DKIM) mechanism. The FBI has confirmed that the contents of the emails are fake and that their help desk is inundated with calls from concerned administrators.

And Brian Krebs Cycles Deeper Hoax Email Blast Abused Bad Coding:

FBI website leaked

Pompompurin the person who claimed responsibility for the hoax, [says] the spam messages were sent by abusing an insecure code in an FBI online portal. The LEEP portal allowed anyone to apply for an account. A critical step in this process is that applicants will receive an email confirmation of [email protected] with a one-time password [but] the FBI website disclosed this one-time passcode in the HTML code of the webpage.

Pompompurin said he was able to send himself an email from [email protected] by editing the request sent to their browser and modifying the text in the Subject and Content fields of the message text. A simple script replaced these settings with its own subject and message body, and automated the sending of the hoax.

FULL ? Simon Sharwood saysWe want to believe:

Secure environment

The server in question was part of LEEP, which the FBI describes as “a secure platform for law enforcement, intelligence groups and criminal justice entities.” [that] provides investigative tools and web-based analytical resources for other law enforcement agencies. “Users collaborate in a secure environment. “

Or at least that’s what they do when they’re not trying to figure out what it means to “exfiltrate several of your virtualized clusters in a sophisticated chain attack”. But we move away.

What does the Bureau have to say for itself? Dark public relations gnomes emit thisFBI statement on the incident:

Beware of unknown senders

The FBI is aware of a software misconfiguration that temporarily allowed an actor to take advantage of LEEP to send fake emails. While the illegitimate email originated from a server operated by the FBI, that server was dedicated to serving notifications for LEEP and was not part of the FBI corporate email service.

No actor has been able to access or compromise any data or personal information on the FBI network. The affected hardware was taken offline quickly upon discovery of the problem. We continue to encourage the public to be wary of unknown senders and urge you to report any suspicious activity to ic3.gov or cisa.gov.

SRSLY? Beware of unknown senders? That’s the whole point, the sender is not unknown! xhkkffbf seems ready to give up:

If I were to receive an email from “fbi.gov” I would assume it belongs to the same stack as this Nigerian prince’s hot deals. Even if I look at the headers, I wouldn’t be convinced.

Perhaps we should put more effort into creating a public key infrastructure for email.

Who is responsible for this (um) bad configuration? ICS retired wants them to come out of their lawn:

So it looks like the FBI is using the same kids to generate the same old standard pile of **** highly vulnerable to abuse as everyone else. In general, it is a problem of potency. It stands to reason that the FBI would be subject to the same wattage problem as everyone else since they get their bulbs from the same store.

But poor old Vinny. Sympathy is not an emotion seconded by u / Fr0gm4n:

Troia is a flourishing and important “security consultant” whose public image is first of all a media personality, then a true security professional. His website was hacked a few years ago serving spam redirects and I still laugh every time his name appears.

But what about the lagging hacker? here is Chris Holland:

Pompouspurin has just thrust a stick into a huge nest of angry hornets. He is going to be badly stung for what was a useless, zero-income activity.

During this time, Isaac@eyeshas some positive claims for the FBI:

Good example of:

1) It will happen to everyone, and

2) manage your perimeter so that when it does, the impact is minimized.

Don’t feel bad when you say it could have been worse. Instead, know you’ve done your job.

And finally:

Come back ELIZA all is forgiven

