FBI server hijacked to send up to 100,000 bogus attack mails

FBI server hijacked to send up to 100,000 bogus attack mails

If you received a scary missive from what appears to be from the FBI over the last few days, you’re not alone. The emails, which may have reached as many as 100,000 people, blamed a fictitious cyberattack on an innocent party. The mail read as follows:

Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough [SIC] multiple global accelerators.

Now, if you know your way around your network or have some insight into security generally, this may already sound a little off. The typo also doesn’t help. But for anyone else, the email could be very concerning, not least because of the potential for reputation damage for them and their business!

How did this happen?

An FBI server was used to send out these mails. The server itself was a tiny link in the chain known as LEEP. This is a “secure platform for law enforcement agencies, intelligence groups, and criminal justice entities. It includes active shooter initiatives, blogs, forums, and a “Virtual Command Center”. Unfortunately, for a short period of time it also included bogus attack mail notifications.

The website contained a flaw which allowed for the leaking of one time registration passcodes in the website’s HTML. From there, it was a short step to editing requests sent to the browser and changing the text in the intended message subject field.

The FBI has explained the server was geared towards pushing notifications only. It isn’t part of the FBIs corporate email network, and so no PII or other data was compromised.

The damage could have been much worse

It’s certainly embarrassing for a law enforcement service to be abused in this way. It’s also worrying for anyone who’s received the mail and isn’t yet aware it’s a fake.

We’re just lucky the aim of the game here seems to have been trolling (unless you’re the innocent party, of course. There’s definitely nothing lucky about that). Think how much more impact this could have had if the mail had come with a malicious attachment, or was part of a social engineering data harvesting extravaganza.

Once an attacker seizes control of official law enforcement comms tools the possibility for incredibly malicious activity is high. This one is all about the short sharp shock, but there’s plenty of time to think about a slow, drawn-out campaign with subtle missives and a gradual tightening of the web.

Should you ever receive what appears to be a mail warning of attacks at your organisation from law enforcement, consider phoning up and going directly to the (assumed) source. It’ll save you a lot of stress, time, and effort.