https://krebsonsecurity.com/2021/11/hoax-email-blast-abused-poor-coding-in-fbi-website/ Advertisement [7] Advertisement [143] Krebs on Security Skip to content * Home * About the Author * Advertising/Speaking Hoax Email Blast Abused Poor Coding in FBI Website November 13, 2021 18 Comments The Federal Bureau of Investigation (FBI) confirmed today that its fbi.gov domain name and Internet address were used to blast out thousands of fake emails about a cybercrime investigation. According to an interview with the person who claimed responsibility for the hoax, the spam messages were sent by abusing insecure code in an FBI online portal designed to share information with state and local law enforcement authorities. [fakefbiemail] The phony message sent late Thursday evening via the FBI's email system. Image: Spamhaus.org Late in the evening on Nov. 12 ET, tens of thousands of emails began flooding out from the FBI address eims@ic.fbi.gov, warning about fake cyberattacks. Around that time, KrebsOnSecurity received a message from the same email address. "Hi its pompompurin," read the missive. "Check headers of this email it's actually coming from FBI server. I am contacting you today because we located a botnet being hosted on your forehead, please take immediate action thanks." A review of the email's message headers indicated it had indeed been sent by the FBI, and from the agency's own Internet address. The domain in the "from:" portion of the email I received -- eims@ic.fbi.gov -- corresponds to the FBI's Criminal Justice Information Services division (CJIS). According to the Department of Justice, "CJIS manages and operates several national crime information systems used by the public safety community for both criminal and civil purposes. CJIS systems are available to the criminal justice community, including law enforcement, jails, prosecutors, courts, as well as probation and pretrial services." In response to a request for comment, the FBI confirmed the unauthorized messages, but declined to offer further information. "The FBI and CISA [the Cybersecurity and Infrastructure Security Agency] are aware of the incident this morning involving fake emails from an @ic.fbi.gov email account," reads the FBI statement. "This is an ongoing situation and we are not able to provide any additional information at this time. The impacted hardware was taken offline quickly upon discovery of the issue. We continue to encourage the public to be cautious of unknown senders and urge you to report suspicious activity to www.ic3.gov or www.cisa.gov." In an interview with KrebsOnSecurity, Pompompurin said the hack was done to point out a glaring vulnerability in the FBI's system. "I could've 1000% used this to send more legit looking emails, trick companies into handing over data etc.," Pompompurin said. "And this would've never been found by anyone who would responsibly disclose, due to the notice the feds have on their website." Pompompurin says the illicit access to the FBI's email system began with an exploration of its Law Enforcement Enterprise Portal (LEEP), which the bureau describes as "a gateway providing law enforcement agencies, intelligence groups, and criminal justice entities access to beneficial resources." [leepportal] The FBI's Law Enforcement Enterprise Portal (LEEP). "These resources will strengthen case development for investigators, enhance information sharing between agencies, and be accessible in one centralized location!," the FBI's site enthuses. Until sometime this morning, the LEEP portal allowed anyone to apply for an account. Helpfully, step-by-step instructions for registering a new account on the LEEP portal also are available from the DOJ's website. [It should be noted that "Step 1" in those instructions is to visit the site in Microsoft's Internet Explorer, an outdated web browser that even Microsoft no longer encourages people to use for security reasons.] Much of that process involves filling out forms with the applicant's personal and contact information, and that of their organization. A critical step in that process says applicants will receive an email confirmation from eims@ic.fbi.gov with a one-time passcode -- ostensibly to validate that the applicant can receive email at the domain in question. But according to Pompompurin, the FBI's own website leaked that one-time passcode in the HTML code of the web page. [formscjis] A screenshot shared by Pompompurin. Image: KrebOnSecurity.com Pompompurin said they were able to send themselves an email from eims@ic.fbi.gov by editing the request sent to their browser and changing the text in the message's "Subject" field and "Text Content" fields. [adhocemail] A test email using the FBI's communications system that Pompompurin said they sent to a disposable address. "Basically, when you requested the confirmation code [it] was generated client-side, then sent to you via a POST Request," Pompompurin said. "This post request includes the parameters for the email subject and body content." Pompompurin said a simple script replaced those parameters with his own message subject and body, and automated the sending of the hoax message to thousands of email addresses. [cjis-form] A screenshot shared by Pompompurin, who says it shows how he was able to abuse the FBI's email system to send a hoax message. "Needless to say, this is a horrible thing to be seeing on any website," Pompompurin said. "I've seen it a few times before, but never on a government website, let alone one managed by the FBI." As we can see from the first screenshot at the top of this story, Pompompurin's hoax message is an attempt to smear the name of Vinny Troia, the founder of the dark web intelligence companies NightLion and Shadowbyte. "Members of the RaidForums hacking community have a long standing feud with Troia, and commonly deface websites and perform minor hacks where they blame it on the security researcher," Ionut Illascu wrote for BleepingComputer. "Tweeting about this spam campaign, Vinny Troia hinted at someone known as 'pompompurin,' as the likely author of the attack. Troia says the individual has been associated in the past with incidents aimed at damaging the security researcher's reputation." Troia's work as a security researcher was the subject of a 2018 article here titled, "When Security Researchers Pose as Cybercrooks, Who Can Tell the Difference?" No doubt this hoax was another effort at blurring that distinction. Update, Nov. 14, 11:31 a.m. ET: The FBI has issued an updated statement: "The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners. While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI's corporate email service. No actor was able to access or compromise any data or PII on FBI's network. Once we learned of the incident we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks." This entry was posted on Saturday 13th of November 2021 05:46 PM A Little Sunshine Ne'er-Do-Well News Web Fraud 2.0 Criminal Justice Information Services division Department of Justice eims@ic.fbi.gov fbi FBI email hack Law Enforcement Enterprise Portal LEEP NightLion pompompurin Shadowbyte Vinny Troia [141] Post navigation - SMS About Bank Fraud as a Pretext for Voice Phishing 18 thoughts on "Hoax Email Blast Abused Poor Coding in FBI Website" 1. funyun November 13, 2021 generating the message client side.... i can't even believe this would even be a thing Reply - 1. DK November 13, 2021 That's what happens when systems are built by the lowest bidder! Reply - 2. Carey November 13, 2021 Abusing a formmail CGI script like this is something that goes back to the early days of the web, when they were bundled with web servers and things like cPanel. It's not something I thought I'd see these days. Reply - 1. General Kenobi November 13, 2021 You know, with this being a government website, it might still be running code from those early days, judging by that IE recommendation Reply - 3. Brujo November 14, 2021 Why? Why generate the magic number client side? I'm baffled. Is it just laziness, because it's easier? Reply - 1. Impossibly Stupid November 14, 2021 It isn't clear to me that the code is actually generated on the client. Much more likely is that it was created on the server and simply sent to the client, possibly because the account creation server has no ability to send emails. As a stateless protocol, HTTP is an absolutely terrible thing to be using for these sorts of transactional processes, especially if we're looking for security. It's a real shame that the web has become the lowest common denominator for most people on the Internet. Reply - 2. No thanks November 13, 2021 FBI recommendation, "We continue to encourage the public to be cautious of unknown senders..." But the sender wasn't unknown, it was you! Reply - 3. Steve November 14, 2021 That's what happens when our Government is financially strained by all the government giveaways in the name is social justice. Reply - 1. Shteiv November 14, 2021 Learn English to make stuff up for Breitbart effectively, comrade! Reply - 2. Law November 14, 2021 Brainwashed fool. Just parrot those Fox talking points and obey! Reply - 3. Ron R. November 14, 2021 Correction: "This is what happens when government IT efforts are farmed out to the lowest bid from perpetual government IT contractors. This has nothing to do with any other efforts the U.S. Federal government has to take care of at all. " You'd know this if you ever worked on a government IT contract. Stop being a right-wing misinformation sheep. Reply - 4. Gary November 14, 2021 This is rather unfortunate since DOJ was on a roll smashing ransomware bandits and stealing back their money. Reply - 5. Chris Holland November 14, 2021 Script Kiddy Pompouspurin has just poked a stick into a massive nest of angry hornets. He's going to get badly stung for what was a pointless zero revenue activity. Reply - 6. Kevin November 14, 2021 One correction: "request sent to their browser" should be "request sent from their browser". No HTTP requests are sent to a browser. Reply - 7. Bigs Germanicus November 14, 2021 Minor critique: the one time code wasn't leaked in the HTML code of the page it was leaked in the network traffic. This is ridiculously insecure though. Web security 101 is that you don't trust any data sent from the client. Reply - 8. herp derp November 14, 2021 What a complete waste. Must have been a 13 year old surely. He could have easily leveraged that sort of access/capability for internal spear phishing and furthered his foothold, among other things. Just as stupid as those dumb kids that got into Twitter earlier this year and completely wasted their access. Reply - 1. CandyCovers November 14, 2021 Best comment. Reply - 9. kode November 14, 2021 The FBI spends too much time testing security programs and software for the government to use. meanwhile the hackers create new exploits and programs, every day, every minute, every hour..while the complacent agents just use the old tools and wait for approval from ASCLAD and other approval agencies. Reply - Leave a Reply Cancel reply Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] Comment [ ] Name * [ ] Email * [ ] Website [ ] [Post Comment] [ ] [ ] [ ] [ ] [ ] [ ] [ ] D[ ] Advertisement [7] Advertisement [138] Mailing List Subscribe here Search KrebsOnSecurity Search for: [ ] [Search] Recent Posts * Hoax Email Blast Abused Poor Coding in FBI Website * SMS About Bank Fraud as a Pretext for Voice Phishing * Microsoft Patch Tuesday, November 2021 Edition * REvil Ransom Arrest, $6M Seizure, and $10M Reward * 'Tis the Season for the Wayward Package Phish Spam Nation Spam Nation A New York Times Bestseller! Thinking of a Cybersecurity Career? Thinking of a Cybersecurity Career? Read this. All About Skimmers All About Skimmers Click image for my skimmer series. Story Categories * A Little Sunshine * All About Skimmers * Ashley Madison breach * Breadcrumbs * Data Breaches * DDoS-for-Hire * Employment Fraud * How to Break Into Security * Latest Warnings * Ne'er-Do-Well News * Other * Pharma Wars * Ransomware * Security Tools * SIM Swapping * Spam Nation * Target: Small Businesses * Tax Refund Fraud * The Coming Storm * Time to Patch * Web Fraud 2.0 The Value of a Hacked PC valuehackedpc Badguy uses for your PC Badguy Uses for Your Email Badguy Uses for Your Email Your email account may be worth far more than you imagine. Donate to Krebs On Security Most Popular Posts * Sextortion Scam Uses Recipient's Hacked Passwords (1076) * Online Cheating Site AshleyMadison Hacked (798) * Sources: Target Investigating Data Breach (620) * Trump Fires Security Chief Christopher Krebs (534) * Cards Stolen in Target Breach Flood Underground Markets (445) * Reports: Liberty Reserve Founder Arrested, Site Shuttered (416) * Was the Ashley Madison Database Leaked? (376) * DDoS-Guard To Forfeit Internet Space Occupied by Parler (374) * True Goodbye: 'Using TrueCrypt Is Not Secure' (363) * Who Hacked Ashley Madison? (361) Why So Many Top Hackers Hail from Russia [computered-580x389] Category: Web Fraud 2.0 Criminnovations Innovations from the Underground [shreddedID-copy-285x189] ID Protection Services Examined Is Antivirus Dead? Is Antivirus Dead? The reasons for its decline The Growing Tax Fraud Menace The Growing Tax Fraud Menace File 'em Before the Bad Guys Can Inside a Carding Shop Inside a Carding Shop A crash course in carding. Beware Social Security Fraud Beware Social Security Fraud Sign up, or Be Signed Up! How Was Your Card Stolen? How Was Your Card Stolen? Finding out is not so easy. Krebs's 3 Rules... Krebs's 3 Rules... ...For Online Safety. (c) Krebs on Security