Criminal exploited FBI e-mail system vulnerability and sent massive hoax e-mail

Spread the love

The FBI’s domain and email system was used this weekend to spread a hoax via email. It would be hundreds of thousands of emails. In an interview, the perpetrator states that he wanted to expose the vulnerability in the FBI systems.

That is what the person in charge, one Pompompurin, tells Krebs On Security. He says he certainly could have “sent more legitimate-looking emails and convinced companies to hand over data.” He didn’t; he would have performed his act in this way because the FBI warns on the vulnerable webpage in question against prosecution for unauthorized use and that stands in the way of responsible disclosure. In addition, he clearly also aims to tarnish the reputation of security researcher Vinny Troia. According to Bleeping Computer, Troia has a long-running feud with members of the rogue hacker community RaidForums, the culprit being one of them.

The email in question (image via @Spamhaus)

Pompompurin entered through the federal agency’s Law Enforcement Enterprise Portal. That is a “gateway that gives law enforcement agencies, intelligence groups and criminal justice entities access to useful resources.” The perpetrator was able to create an account there, something that is no longer possible for everyone. He goes on to say that the email confirmation code for a new account is generated on the client side and sent back to the site through a POST request.

Not only was the verification code visible in the html on the page, but the POST request was also customizable. For example, Pompompurin entered his own recipients and message text, but the email came from [email protected] and the IP address of the FBI. Spamhaus reports that he has the addressees from the ARIN database through scraping.

The FBI has informed Krebs on Security, among others, that the e-mails do indeed come from the FBI and that they are forged. They will not provide more information as the case is still ongoing. The “affected hardware was quickly taken offline after discovering this problem,” the service says. According to Bleeping Computer, the FBI’s help desk is being “flooded” with phone calls from concerned admins.

You might also like