https://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/ Advertisement [13] Advertisement [14] Krebs on Security Skip to content * Home * About the Author * Advertising/Speaking FBI's Vetted Info Sharing Network 'InfraGard' Hacked December 13, 2022 26 Comments InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible are communicating directly with members through the InfraGard portal online -- using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself. [igard] On Dec. 10, 2022, the relatively new cybercrime forum Breached featured a bombshell new sales thread: The user database for InfraGard, including names and contact information for tens of thousands of InfraGard members. The FBI's InfraGard program is supposed to be a vetted Who's Who of key people in private sector roles involving both cyber and physical security at companies that manage most of the nation's critical infrastructures -- including drinking water and power utilities, communications and financial services firms, transportation and manufacturing companies, healthcare providers, and nuclear energy firms. "InfraGard connects critical infrastructure owners, operators, and stakeholders with the FBI to provide education, networking, and information-sharing on security threats and risks," the FBI's InfraGard fact sheet reads. In response to information shared by KrebsOnSecurity, the FBI said it is aware of a potential false account associated with the InfraGard Portal and that it is actively looking into the matter. "This is an ongoing situation, and we are not able to provide any additional information at this time," the FBI said in a written statement. KrebsOnSecurity contacted the seller of the InfraGard database, a Breached forum member who uses the handle "USDoD" and whose avatar is the seal of the U.S. Department of Defense. [breachedige] USDoD's InfraGard sales thread on Breached. USDoD said they gained access to the FBI's InfraGard system by applying for a new account using the name, Social Security Number, date of birth and other personal details of a chief executive officer at a company that was highly likely to be granted InfraGard membership. The CEO in question -- currently the head of a major U.S. financial corporation that has a direct impact on the creditworthiness of most Americans -- told KrebsOnSecurity they were never contacted by the FBI seeking to vet an InfraGard application. USDoD told KrebsOnSecurity their phony application was submitted in November in the CEO's name, and that the application included a contact email address that they controlled -- but also the CEO's real mobile phone number. "When you register they said that to be approved can take at least three months," USDoD said. "I wasn't expected to be approve[d]." [infrareply]But USDoD said that in early December, their email address in the name of the CEO received a reply saying the application had been approved (see redacted screenshot to the right). While the FBI's InfraGard system requires multi-factor authentication by default, users can choose between receiving a one-time code via SMS or email. "If it was only the phone I will be in [a] bad situation," USDoD said. "Because I used the person['s] phone that I'm impersonating." USDoD said the InfraGard user data was made easily available via an Application Programming Interface (API) that is built into several key components of the website that help InfraGard members connect and communicate with each other. USDoD said after their InfraGard membership was approved, they asked a friend to code a script in Python to query that API and retrieve all available InfraGard user data. "InfraGard is a social media intelligence hub for high profile persons," USDoD said. "They even got [a] forum to discuss things." To prove they still had access to InfraGard as of publication time Tuesday evening, USDoD sent a direct note through InfraGard's messaging system to an InfraGard member whose personal details were initially published as a teaser on the database sales thread. That InfraGard member, who is head of security at a major U.S. technology firm, confirmed receipt of USDoD's message but asked to remain anonymous for this story. USDoD acknowledged that their $50,000 asking price for the InfraGard database may be a tad high, given that it is a fairly basic list of people who are already very security-conscious. Also, only about half of the user accounts contain an email address, and most of the other database fields -- like Social Security Number and Date of Birth -- are completely empty. "I don't think someone will pay that price, but I have to [price it] a bit higher to [negotiate] the price that I want," they explained. While the data exposed by the infiltration at InfraGard may be minimal, the user data might not have been the true end game for the intruders. USDoD said they were hoping the imposter account would last long enough for them to finish sending direct messages as the CEO to other executives using the InfraGuard messaging portal. USDoD shared the following redacted screenshot from what they claimed was one such message, although they provided no additional context about it. [infraletter] A screenshot shared by USDoD showing a message thread in the FBI's InfraGard system. USDoD said in their sales thread that the guarantor for the transaction would be Pompompurin, the administrator of the cybercrime forum Breached. By purchasing the database through the forum administrator's escrow service, would-be buyers can theoretically avoid getting ripped off and ensure the transaction will be consummated to the satisfaction of both parties before money exchanges hands. Pompompurin has been a thorn in the side of the FBI for years. Their Breached forum is widely considered to be the second incarnation of RaidForums, a remarkably similar English-language cybercrime forum shuttered by the U.S. Department of Justice in April. Prior to its infiltration by the FBI, RaidForums sold access to more than 10 billion consumer records stolen in some of the world's largest data breaches. In November 2021, KrebsOnSecurity detailed how Pompompurin abused a vulnerability in an FBI online portal designed to share information with state and local law enforcement authorities, and how that access was used to blast out thousands of hoax email messages -- all sent from an FBI email and Internet address. Update, 10:58 p.m. ET: Updated the story after hearing from the financial company CEO whose identity was used to fool the FBI into approving an InfraGard membership. That CEO said they were never contacted by the FBI. Update, 11:15 p.m. ET: The FBI just confirmed that it is aware of a potential false account associated with the InfraGard portal. The story now includes their full statement. This is a developing story. Updates will be noted here with timestamps. This entry was posted on Tuesday 13th of December 2022 06:54 PM A Little Sunshine Data Breaches Web Fraud 2.0 Breached fbi InfraGard pompompurin RaidForums USDoD Post navigation - New Ransom Payment Schemes Target Executives, Telemedicine Microsoft Patch Tuesday, December 2022 Edition - 26 thoughts on "FBI's Vetted Info Sharing Network 'InfraGard' Hacked" 1. The Sunshine State December 13, 2022 Interesting article Reply - 2. Billy Jack December 13, 2022 This sounds like it could be very promising. Would InfraGard be a good source of up to date information about attacks and scams and how to deal with them? Has anyone here been a member and found them useful? Reply - 1. InfraGardMember December 13, 2022 Mainly OSINT. I've never found it to be useful. Generally just delete emails from them. Reply - 1. InfraGardMember2 December 14, 2022 Same. Attended a single meeting but heard nothing I couldn't gather from staying on top of industry news cycles. Reply - 1. John F December 14, 2022 As an InfraFard member, I value the formal purpose and intention of the group. In the event of a realized threat, due to the association to critical infrastructure, new communication channels become available in realtime, due to one's association to critical infrastructure, not just because your a member of InfraGard. But InfraGard thru its association to Homeland and the FBI, would be one of the channels used to share information. Independent of your Chapter, (I'm in Chicago), there is also informal sharing of information by the members. The informal sharing, via private forums and email is in near real-time. Over the years, these informal shares are real-time, and not (yet) in the news. If you are associated to critical infrastructure, yes, this is a valuable organization to be a member. It compliments your other formal associations. And opens your informal networking to a group of your peers who are both business leaders, and often nerdy enough to know the consequences of the technology being compromised. For sure, if you qualify, it is a group of peers who are likely making decisions about threats to the Confidentiality, Integrity, and Availability (CIA) of critical infrastructure from either a global, national, state, regional, or own business perspective. Reply - 2. eva December 14, 2022 hello Reply - 2. Andrew Rossetti December 14, 2022 Aside from the general OSINT, it really depends on the Chapter you are a member of. Some chapters are more active than others. My chapter has actually put on a fair amount of seminars with experts on various aspects of security, both physical and cyber. I find these live events to be the far more compelling aspect of membership. Reply - 1. jerome December 14, 2022 Agreed! Reply - 3. Ren December 13, 2022 Ooops Reply - 4. Phillip December 14, 2022 FBI might not hire any person nerdy enough to firewall. However, as I see it, the onus is on flabby nerdy. And no, I do not have six-pack absolutely-s. I imagine, is all. Everybody is hacked, or whatever? Axiom of Choice is saying no. Not everybody is getting hacked. Reply - 1. Moike December 14, 2022 It's not clear that it is a firewall / hack issue since the data was taken over the API. It's more of a vetting and policy issue: how much access to allow between vetted members? Vetting becomes progressively harder as criminal technology advances: even if someone applies in person, how to know that the ID they present isn't fake along with the stolen credentials they are assuming? Reply - 1. Dan December 14, 2022 As a former member of InfraGard, back when I applied, we had to physically show up at an orientation meeting at the local FBI field office and were vetted/had our accounts created on site. My membership lapsed when I moved employers, but clearly they relaxed their standards /due diligence. It's sad to see this happen to an organization that is supposed to be security focused above all else. This news makes me feel a little bit embarrassed to have ever been associated with the program. Reply - 2. dingle December 14, 2022 The API shouldn't be wide open for any user to query as they please Reply - 1. mopmoppurrin December 14, 2022 It's not because you must be a "vetted" member. Reply - 1. stephen December 14, 2022 and vetting makes it super secure Reply - 5. Justin Shafer December 14, 2022 ROFL Reply - 6. Will S December 14, 2022 So the people who continue to target anyone who does not agree with the mainstream media comments can't even protect their own Datbase. I'm just done....the fBI get's BILLIONS and they can't even protect something as simple....as an online Database. Just Wow Reply - 1. Moike December 14, 2022 I know you're upset that they investigated your favorites - California congressman TJ Cox and Texas Rep. Henry Cuellar, but investigations target those who ask to be investigated by their actions. Reply - 1. Fox Mulder December 14, 2022 Yup, just like Rev Dr Martin Luther King, right? I have no opinion on the folks you mentioned, for the record. Hell, I don't even know who they are. Just pointing out that the idea you're promoting is simplistic and, quite frankly, dangerous. Blind trust in anything - especially government - is foolish. Reply - 7. Eric December 14, 2022 With scammers like these, I'm always surprised they don't get an English-language editor involved to touch up their phishing emails. I know there's the whole "people who ignore the typos/bad grammar are more likely to fall for further scams" aspect, but as the blog post mentions, these targets are already security-conscious people. The message in the article above is likely to get no hits, while even some basic editing could really clean it up and boost its chances. Reply - 1. Steve December 14, 2022 That was my first thought too. The letter is supposed to be from a CEO. Did its author really think anyone who writes like that would be CEO of anything larger than a corner vape shop? The letter is a surefire way to eliminate worthless executives: anyone who falls for the letter doesn't belong in their job. Reply - 8. JC December 14, 2022 Totally read this the first time through that the US Department of Defense was hacking the FBI. Funny how in these bizarre times my brain thought yup...that sounds about right. Reply - 9. Andrew Rossetti December 14, 2022 The FBI is certainly not what they once were... Reply - 10. Ursula Blanchat December 14, 2022 Thats better than a cup of coffee. I've had big issues with the infragard and its funny that they've finally got slapped with Karma. Reply - 11. Paul Wheeler December 14, 2022 FBI should have to buy it back... Reply - 12. Jack Beckman December 14, 2022 Aren't these the guys who want back doors into everything? Sure, they can be trusted with it. Reply - Leave a Reply Cancel reply Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] Comment * [ ] Name * [ ] Email * [ ] Website [ ] [Post Comment] [ ] [ ] [ ] [ ] [ ] [ ] [ ] D[ ] Advertisement [11] Advertisement Mailing List Subscribe here Search KrebsOnSecurity Search for: [ ] [Search] Recent Posts * Six Charged in Mass Takedown of DDoS-for-Hire Sites * Microsoft Patch Tuesday, December 2022 Edition * FBI's Vetted Info Sharing Network 'InfraGard' Hacked * New Ransom Payment Schemes Target Executives, Telemedicine * Judge Orders U.S. Lawyer in Russian Botnet Case to Pay Google Spam Nation Spam Nation A New York Times Bestseller! Thinking of a Cybersecurity Career? Thinking of a Cybersecurity Career? Read this. All About Skimmers All About Skimmers Click image for my skimmer series. Story Categories * A Little Sunshine * All About Skimmers * Ashley Madison breach * Breadcrumbs * Data Breaches * DDoS-for-Hire * Employment Fraud * How to Break Into Security * Latest Warnings * Ne'er-Do-Well News * Other * Pharma Wars * Ransomware * Russia's War on Ukraine * Security Tools * SIM Swapping * Spam Nation * Target: Small Businesses * Tax Refund Fraud * The Coming Storm * Time to Patch * Web Fraud 2.0 The Value of a Hacked PC valuehackedpc Badguy uses for your PC Badguy Uses for Your Email Badguy Uses for Your Email Your email account may be worth far more than you imagine. Donate to Krebs On Security Most Popular Posts * Sextortion Scam Uses Recipient's Hacked Passwords (1076) * Online Cheating Site AshleyMadison Hacked (798) * Sources: Target Investigating Data Breach (620) * Trump Fires Security Chief Christopher Krebs (534) * Why Paper Receipts are Money at the Drive-Thru (530) * Cards Stolen in Target Breach Flood Underground Markets (445) * Reports: Liberty Reserve Founder Arrested, Site Shuttered (416) * Was the Ashley Madison Database Leaked? (376) * DDoS-Guard To Forfeit Internet Space Occupied by Parler (374) * True Goodbye: 'Using TrueCrypt Is Not Secure' (363) Why So Many Top Hackers Hail from Russia [computered-580x389] Category: Web Fraud 2.0 Criminnovations Innovations from the Underground [shreddedID-copy-285x189] ID Protection Services Examined Is Antivirus Dead? Is Antivirus Dead? The reasons for its decline The Growing Tax Fraud Menace The Growing Tax Fraud Menace File 'em Before the Bad Guys Can Inside a Carding Shop Inside a Carding Shop A crash course in carding. Beware Social Security Fraud Beware Social Security Fraud Sign up, or Be Signed Up! How Was Your Card Stolen? How Was Your Card Stolen? Finding out is not so easy. Krebs's 3 Rules... Krebs's 3 Rules... ...For Online Safety. (c) Krebs on Security