On November 13th, hackers targeted the email servers of the FBI and sent phony cybersecurity warnings to over 100.000 recipients scraped from the American Registry for Internet Numbers (ARIN) database. The hackers made sure to use the FBI’s public-facing email, making their message seem more legitimate.
To protect yourself or your company from a similar attack, contact us. LIFARS can assist your business in capturing the important artifacts and data such as fraudulent emails and documents, security and activity logs, and any other information of relevance to the case.
The email stated that they were being attacked by Vinny Troia, a well-known name in the cybersecurity world, falsely stating that he was associated with the cybercriminal group The Dark Overlord. Troia, who has experienced other false accusations in the past, believes that the perpetrator goes by the name of “Pompompurin,” who was behind similar defamations against Troia.
The attack may be in retaliation for an investigative report that Troia published last year on the young hacker, revealing his identity and involvement with various hacker groups.
Soon after the attack, pompompurin himself was happy to confirm Troia’s suspicions and took full responsibility for the incident.
In an interview with KrebsOnSecurity, a popular cybercrime investigation blog, pompompurin explained how he orchestrated the attack. He was able to gain access to the FBI’s email system by exploiting LEEP, which allows anyone to open an account and communicate with the FBI. To finish up the registration process, the LEEP site sends out a confirmation email that includes a one-time passcode.
FBI’s site leaked its passcode in the HTML, allowing the hacker to send himself an email from
the FBI. Then, he used a script to change the email’s subject and sent it out to thousands of addresses he found on the ARIN database.
The fact that there were no malicious attachments added to the phony cybersecurity warnings has led cybersecurity experts to believe that the attack was unplanned and resulted from the hacker suddenly noticing a vulnerability in the FBI’s system.
You can see what the email looks like, courtesy of Spamhaus.
According to the FBI, the emails were sent from the Law Enforcement Enterprise Portal system,
which is separate from the FBI’s larger corporate email system and is used for exchanging messages among state and local officials.
“No actor was able to access or compromise any data or (personally identifiable information) on FBI’s network,” the bureau assured. “Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”