Someone used an FBI email account to send out messages warning recipients of fake cyberattacks that targeted their systems.

Highlights of the Hack

According to Bleeping Computer, researchers at the Spamhaus Project observed two waves of fake emails reaching more than 100,000 mailboxes on November 13, 2021.

All the emails originated from “[email protected],” a legitimate email account associated with the FBI’s Law Enforcement Enterprise Portal (LEEP).

The messages warned recipients that a threat actor had infiltrated their systems and stolen their data.

“Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack,” the email read, as quoted by Bleeping Computer. “We tried to blackhole the transit nodes used by this advanced persistent threat actor, however, there is a huge chance he will modify his attack with fastflux technologies, which he proxies through multiple global accelerators.”

The email even went on to identify who was “responsible” for the attack.

“We identified the threat actor to be Vinny Troia, who is believed to be affiliated with the extortion gang TheDarkOverlord. We highly recommend you to check your systems and IDS monitoring,” as elaborated by the email. “Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within four hours, which could be enough time to cause severe damage to your infrastructure.”

Targeting a Security Professional’s Reputation

But malicious actors lie, and this instance was no exception.

In actuality, Vinny Troia is head of security research of the dark web intelligence companies NightLion and Shadowbyte. Troia said that someone named “pompompurin” contacted him a few hours before the spam email campaign and simply said “enjoy”.

He went on to say that pompompurin, an actor who attempted to damage the researcher’s reputation in the past, messages him every time before launching an attack against him.

In an interview with KrebsOnSecurity, pompompurin said that the hacking incident began with an exploration of the FBI’s LEEP. The actor discovered that the LEEP sent out an email confirmation containing a one-time password (OTP) from [email protected] at the time of the compromise. They also observed that the website leaked the OTP in the web page’s HTML code.

By editing the request sent to their browser and changing the text in the message, pompompurin was able to send an email to themselves from the FBI’s email account. They then created a script to automate sending out the hoax message referenced above to thousands of email addresses.

Not the First Security Incident Involving the FBI

The incident discussed above isn’t the first time that digital attackers have targeted the FBI.

Back in January 2017, for instance, the attacker CyberZeist broke into FBI.gov by exploiting a zero-day vulnerability in the Bureau’s website.

The malicious actor found several backup files in the process, reported Security Affairs. Subsequently, the threat actor leaked account data including names, passwords and emails on Pastebin.

How Organizations Can Defend Themselves

The hoax emails didn’t require recipients to perform any action, so there wasn’t anything specifically malicious about its contents.

That said, someone could have used the incident to distribute malware through a phishing attack.

This emphasizes the importance of security awareness training. Specifically, security teams can educate their employees to send emails with similar levels of urgency and frightening language to the IT department. Team members can then conduct the necessary research to protect their organization’s systems and data.

More from News

Abuse of Privilege Enabled Long-Term DIB Organization Hack

From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to an advanced cyberattack on a Defense Industrial Base (DIB) organization’s enterprise network. During that time frame, advanced persistent threat (APT) adversaries used an open-source toolkit called Impacket to breach the environment and further penetrate the organization’s network. Even worse, CISA reported that multiple APT groups may have hacked into the organization’s network. Data breaches such as these are almost always the result of compromised endpoints…

Costa Rica State of Emergency Declared After Ransomware Attacks

In late April, after weeks of major ransomware attacks, Costa Rica declared a state of emergency. Newly-elected President Rodrigo Chaves took this measure, usually reserved to deal with natural disasters, to free up the government to react more decisively to the incident. The Russian-based Conti gang has claimed they launched the attack. Meanwhile, the U.S. Department of State offered a $10 million reward for information that leads to finding anyone holding a key leadership role in the Conti gang. The…

Ransomware-as-a-Service Transforms Gangs Into Businesses

Malware-as-a-Service is getting easier and easier to access, according to a recent threat report. Self-named the ‘Eternity Project’, this cyber threat group offers services from a Tor website and on their Telegram channel. They sell a wide variety of malware in an organized fashion, including stealer, clipper, worm, miner, ransomware and distributed-denial-of-service bot services. This alarms many security professionals. With Eternity, even inexperienced cyber criminals can target victims with a customized threat offering. Eternity sells malware for $90 to $490.…

UK Health System Email Accounts Hijacked to Steal Microsoft Logins

Last summer, I noticed password reset notices in my email account that I didn’t send. I quickly realized that I was the victim of an account takeover. This happens when someone illegally gains access to your account, typically through compromised credentials. I changed my email password right away and learned that my passwords to other accounts had already been changed. To make cleanup even more fun, I found out that the attackers had created new accounts using my credentials. Account…