Several news outlets report that at least 100,000 people received spam emails allegedly from the FBI. The emails carried signatures of the U.S. Department of Homeland Security’s Cyber Threat Detection and Analysis Group. Intrestingly, because the FBI put the mentioned organization on stop more than two years ago. Those emails contained strange, technically confused messages about some upcoming attacks. For some reason they made references for cybersecurity writer Vinny Troia and a cybercriminal group called The Dark Overlord. Mentioned company published research on The Dark Overlord in January this year.
Someone sent fake spam FBI emails from legitimate law enforcement servers
“The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails”. “While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service”, goes in update that FBI National Press Office published on November 14, 2021 .
FBI IT infrastructure uses LEEP to communicate with the state and local law enforcement partners of the FBI. The Federal Bureau of Investigations also added in an update that any data or PII on the FBI’s network spamers could not access or compromise. They quickly fixed the software vulnerability, warned partners to dismiss the fake emails, and verified the coherence of networks. The FBI has usual practice to warn American companies of cyber threats that attack particular companies or when threat actors employ new techniques.
International Threat Intelligence Organization that provides real time data on spam, botnets, malware source and phishing made own research. On their Twitter page they shared the fake email spam that spamers allegedly sent under disguise from the FBI. Those who received spam emails find themselves listed on the American Registry for Internet Numbers. The contacts consist of publicly listed administrators of websites, the company’s researcher Alex Grosjean explained.
These emails look like this:
Sending IP: 153.31.119.142 (https://t.co/En06mMbR88)
From: eims@ic.fbi.gov
Subject: Urgent: Threat actor in systems pic.twitter.com/NuojpnWNLh— Spamhaus (@spamhaus) November 13, 2021
Cyber security analyst worry that threat actors may actually pick up the trick in later attacks
Grosjean ensured that he did not detect any malicious software embedded in the emails. Instead he assumes it must have been just a prank to scare the recipients. And it’s not the first time someone pretends to be from some legitimate law enforcement. As CNN added in their report on fake FBI emails, in one incident last year hackers encrypted the phones of some people in Eastern Europe. They accused them of possessing illicit pornographic material and informed them that their personal information had been forwarded to the FBI. Hackers asked for $500 to unlock the phones.
Also this might mean a mere prank, cybersecurity specialists express their concerns that such kinds of incidents can easily mislead organizations to deal with fake threats while missing on an actual attack. Threat actors may pick up the scheme to make in this way some sort of pro-attack step.