[HN Gopher] Email from FBI Looks Odd
___________________________________________________________________
Email from FBI Looks Odd
Author : jacksoncloud
Score : 414 points
Date : 2021-11-13 08:13 UTC (14 hours ago)
(HTM) web link (old.reddit.com)
(TXT) w3m dump (old.reddit.com)
| tejtm wrote:
| the only vaguely reliable item in an email header is the last ip
| in the square bracket inserted bt _your_ mailserver saying where
| it thinks it "Received from"
|
| note that in this case it is: Received: from
| dap00040.str0.eims.cjis (dap00040.str0.eims.cjis [10.66.2.72])
|
| and that 10.X.X.X is an un-routable address (unless you are part
| of the originating network)
|
| Since I'm not part of the FBI I would strongly suspect some one
| was misrepresenting their address to my mailserver.
|
| adding that I really don't know jack about this. sec is not an
| interest of mine so please, experts, straighten out any
| misconceptions I am propagating
| ev1 wrote:
| The one inserted by my mailserver is Received: from mx-
| east.fbi.gov (mx-east-ic.fbi.gov [153.31.119.142])
|
| The 10.* ones were inserted by theirs.
| technion wrote:
| There's a paste from another recipient's headers:
|
| https://pastebin.com/8ES3t1hv
|
| I believe the very top line is inserted by the victim
| mailserver and points to an FBI IP in a way that can be
| considered accurate.
| L0in wrote:
| FBI e-mail infrastructure got hacked.
| [deleted]
| Kiro wrote:
| https://twitter.com/vinnytroia/status/1459515619838251010
|
| https://twitter.com/pompompur_in/status/1459458485154942978
|
| https://twitter.com/seds
|
| Is this some kind of meme or joke I don't understand?
| Kiro wrote:
| Readable link on mobile:
| https://www.reddit.com/r/sysadmin/comments/qsun7o/email_from...
| mynameismon wrote:
| A more readable link:
| https://i.reddit.com/r/sysadmin/comments/qsun7o/email_from_f...
| oxymoran wrote:
| I find it fascinating that one can be intelligent enough to be
| able to do something like this but they just couldn't put
| together a coherent enough email to actually fool you, especially
| because they seem to have a decent enough command of English. The
| tone is waaaaaay off though.
| ac2u wrote:
| Perhaps the human effort needed to see their goals through
| requires that they filter for only the targets that would fall
| for such a poorly constructed effort.
| Zarel wrote:
| The big unanswered question there is: Why go through the
| effort of making the headers real, if you want to
| intentionally filter out the kind of people who would look at
| them?
| ac2u wrote:
| We're talking in hypotheticals of course, but the effort to
| make headers real isn't just to fool people who would
| inspect, but also to fool corporate spam filters and email
| clients that would display big bold warnings over such an
| email.
| rasz wrote:
| This could work if recipients were CEOs/CISOs, not actually
| technical people (ARIN IP range contacts = NOC? as someone
| above me found out)
| Alex3917 wrote:
| If you can send email from the FBI then you also have a get out
| of jail free card for any crime. Seems like a bad use of this
| access.
| enkid wrote:
| I don't see how sending an email from the FBI gives you a get
| out of jail free card.
| Alex3917 wrote:
| If the FBI offers you immunity in exchange for implicating
| yourself in a crime, then they can't retroactively retract
| that offer after you've already confessed. This is true
| even in cases where the defendant was improperly offered
| immunity. And emails from an organization's domain name are
| generally legally binding.
|
| (Obviously this isn't legal advice.)
| elliekelly wrote:
| The FBI doesn't offer immunity. The DOJ does. There's
| also usually a signed document called a "proffer letter"
| or a "Queen for a Day" agreement that's signed by an
| AUSA. I'm not sure an email would pass muster. Maybe it
| would, but it would certainly be a very big departure
| from the norm.
| Alex3917 wrote:
| > The FBI doesn't offer immunity. The DOJ does.
|
| Fair. But if the FBI gave someone a cryptographically
| signed offer of immunity and the person then confessed,
| you don't think the case would get thrown out?
| bink wrote:
| Those types of papers get filed with the court. They
| don't simply shake hands (or exchange emails) before
| accepting a plea agreement.
| teddyh wrote:
| "Your faith in the legal system is appalling."
|
| https://www.schlockmercenary.com/2009-06-26
| toomanybeersies wrote:
| Send an email under the guise of the FBI to the president,
| asking for immunity for yourself?
| hungryforcodes wrote:
| President: "Hey FBI dudes -- is this email legit?"
|
| FBI: "LOL WTF!?"
|
| Probably not.
| lostlogin wrote:
| Maybe this if how dubious characters have received
| presidential pardons over the years?
| NaughtyShiba wrote:
| Just because you are intelligent in one field doesn't
| necessarily mean you are intelligent in others. I personally
| need to rewrite text 4-5 times for RFC/Proposal PRs. I would
| assume English isn't their native language, but's on line
| between good and correct.
| sys32768 wrote:
| I received this at 1:07 AM PST to my work sysadmin account. It
| passed Barracuda and Office 365 spam filters.
|
| Initially I felt a surging panic when I realized the source IP
| was indeed FBI, especially considering one of our close partners
| recently buckled under a ransomware attack they refused to pay,
| and thus had to rebuild from backups over a period of two weeks.
|
| Smells mostly bogus now with no links to a status page and so
| many others reporting the exact same sloppy email, but how did
| they know to email me and other sysadmins, and how did they send
| from an FBI IP address?
|
| Edit: typo
| ev1 wrote:
| Are you listed on any contacts or WHOIS? One of my friends got
| it to every single possible ARIN POC - abuse, noc, any named
| users for their IP space, and any emails that could be found
| for their domain.
| sys32768 wrote:
| No, actually. All domains use an alias but this was sent
| directly to my primary, but not sent to any of our historic
| or present domain WHOIS contacts.
| bell-cot wrote:
| Did the "one of our close partners [who] recently buckled under
| a ransomware attack" have contact details for "[you] and other
| sysadmins", to target the emails?
| vhold wrote:
| If it wasn't whois then another common tactic is to use
| LinkedIn and guess addresses from the names.
| hericium wrote:
| Lack of full body and some headers mentioned in the DKIM-
| Signature headers makes it impossible to verify DKIM
| authenticity. Would (reddit) OP not cut out their Authentication-
| Results headers, we we would know how their MTA's anti-forgery
| mechanisms saw this alleged message.
|
| But, assuming that what's on reddit is true, this is interesting.
| It looks like FBI attempting to discredit a researcher (which I
| doubt because this would be one of dumbest ways to do so) or
| maybe someone gained enough access to FBI's infra to at least
| bounce a message by their systems without it looking so (but
| earlier Received headers do not suggest that the message
| originated from outside the network).
|
| EDIT: Another idea is that OP's systems may be so compromised
| already that someone simply created FBI-looking message on their
| system and it never touched network.
| arvindamirtaa wrote:
| https://twitter.com/GossiTheDog/status/1459451749811593219
| IYasha wrote:
| I still don't quite understand hackers: doing such high-profile
| hacking and writing lame texts even wihout much fact checking
| (about agency divisions in this case). Being written in more
| professional way, this attack could be way more effective. Also,
| is it a thing among "hackers" to write with tons of mistakes? A
| part of culture maybe? Or to scare the bricks out of people? )
| jedimastert wrote:
| Along with the weeding described by others, this could also be
| a public proof of concept, with a much more sophisticated back-
| door left for whenever the clean up is done.
| Tenoke wrote:
| I'm guessing they are either testing their approach or doing it
| just for fun without a real objective.
| LogonType10 wrote:
| >Also, is it a thing among "hackers" to write with tons of
| mistakes?
|
| Most phishing content isn't made by native English speakers. A
| lot of it has incorrect grammar/spelling or was just generated
| by Google Translate.
| tsywke44 wrote:
| The email text to me looks like it was written by some 15-year-
| old zoomer kid with no clue what they're really doing.
| kingkawn wrote:
| Or the purpose is to make the FBI look publicly incompetent,
| not to successfully carry out a secret operation.
| vmception wrote:
| For the lulz, I would be happy to see that culture come back,
| well somewhat
| flatiron wrote:
| According to the phishing training I was mandated to take at
| work if you are stupid enough to overlook the mistakes you are
| the right target. According to them the misspellings filter out
| the smart enough people they don't want talking to. But that
| could also be nonsense.
| caturopath wrote:
| Yeah, I buy this theory in general, but I'm not sure that's
| the highest-leverage way to use this access.
| rPlayer6554 wrote:
| I think higher level ways get dangerous. Contacting the FBI
| directly to try and get money might make it easier to find
| you. Trying to sell it or other information to a foreign
| entity is also risky because you can't be sure they won't
| turn you over.
| dustingetz wrote:
| Spelling errors like that are how real people write in
| enterprise, imagine Trump writing email
| jdavis703 wrote:
| I've worked in government and contracted for Fortune 500
| companies. Never have I seen an email that was written like
| Trump's Tweets. I'm sure it happens, but I don't think it's
| common.
| throwaway821909 wrote:
| Ignoring this specific case where it seems especially
| unlikely, that's always seemed like someone worked backwards
| and overthought it to me, "the spelling mistakes, they have
| to mean something".
|
| I don't think there is a binary smart population and dumb
| population to optimise around, for every step down, some
| people who are otherwise convinced become hesitant and waste
| time, and some of that group become totally unconvinced.
| bredren wrote:
| In this podcast episode with the founder of conversational
| AI, he describes the need to make spelling mistakes (and
| correct them) in order to help establish that the bot is
| actually a human.
|
| https://podcasts.apple.com/us/podcast/the-python-podcast-
| ini...
| dqv wrote:
| I think making sublte spelling mistakes is a much clearer
| sign that someone is human. The imperfection without
| correction makes it more believable. I still think the
| hackers could stand to take a creative writing workshop.
| AbrahamParangi wrote:
| The argument is that the hacker's operational costs are
| massively dominated by the manual work of social
| engineering, so they have a huge incentive to filter out
| people who are less responsive to social engineering.
|
| If you accept that some people are more credulous than
| others, it becomes the best strategy to optimize for only
| talking to people who believe you.
| vorhemus wrote:
| I'd have guessed that it should be possible to get a reasonable
| amount of $ for selling access to FBI email servers but maybe
| the person(s) behind the attack don't care much about money.
| mattnewton wrote:
| I wonder if, similar to automatically choosing alternate
| synonyms, small spelling errors throw off naive spam detectors
| while remaining perfectly readable?
| trhway wrote:
| "email from FBI", and the Nigerian FBI office at that ...
| Reminded - a professor of a Moscow University couple months ago
| received a call from Russian Central Bank advising him that his
| account in some bank is being actively targeted by
| scammers/hackers, and that he needs to temporarily transfer the
| money to the special holding account the Central Bank rep
| provided, so the professor did. Some time later the scammers
| started to target the professor's condo - the police agent called
| him informing about it and asking for help to catch the scammers
| - when the scammers come with the prepared documents for the
| condo sale, professor would need to play the part as if he
| doesn't know what it is a scam and to sign the documents, receive
| the money and after that to give the money as evidence to the
| special agents in the car near the condo building. And professor
| did as he was told. So far - no money, no condo, no bank account
| with the significant sum of money...
|
| Or as our corporate anti-phishing/etc. training - which was
| forced again upon us last month - instructs "Got a call from John
| from company A ? Hang up and call the public phone number of the
| company A and ask for the John."
| JorgeGT wrote:
| > _Hang up and call the public phone number of the company A
| and ask for the John_
|
| Some time ago a HN user was approached by the CIA/FBI like this
| (they wanted help with a software he wrote). They told him to
| look up the public number for the agency and ask for agent
| whatever.
| tentacleuno wrote:
| What happened to the scammers?
| trhway wrote:
| So far nothing. The victim reported it to police only 3 weeks
| ago. https://www.google.com/amp/s/m.gazeta.ru/amp/social/news
| /202...
| buzer wrote:
| The email address seems to point to EIMS (Enterprise
| Identification and Management Service according to
| https://bja.ojp.gov/sites/g/files/xyckuh186/files/media/docu...).
| The email address is also listed at some guide at
| https://www.justice.gov/tribal/page/file/1260671/download.
|
| My guess would be that there is some integration point somewhere
| to EIMS that allows requesting/granting some access & takes the
| email template from submitted form.
| Raed667 wrote:
| We have been made aware of "scary" emails sent in the last few
| hours that purport to come from the FBI/DHS. While the emails are
| indeed being sent from infrastructure that is owned by the
| FBI/DHS (the LEEP portal), our research shows that these emails
| *are* fake.
|
| https://twitter.com/spamhaus/status/1459450061696417792
| TheRealNGenius wrote:
| Why did they feel the need to emphasize _are_?
| stevebmark wrote:
| I continue to see Twitter as an invaluable real time news
| source. It often seems to have more direct information on
| breaking topics than other mediums. I often discover news on
| Twitter well before seeing it on other platforms.
| systemvoltage wrote:
| Agree, but also keeps feeding me extreme bias and straight up
| nonsense. Let's not forget its destructive aspects as well.
| camhart wrote:
| Last summer Twitter alerted me to wild fire evacuations for
| my area (in Western Washington) hours before traditional
| channels reached me.
| yonaguska wrote:
| Tangentially related, but the FBI needs to be disbanded. At least
| the DC offices, which are simply a political police force at this
| point. This is just another example of incompetence on their
| part.
| dang wrote:
| " _Eschew flamebait. Avoid unrelated controversies and generic
| tangents._ "
|
| https://news.ycombinator.com/newsguidelines.html
| _game_of_life wrote:
| So what would you suggest to replace it? Obviously there needs
| to be some federal law enforcement agency...
|
| And as much as their past has portions that are super fucked
| up, wasn't that also a reflection of American society at the
| time?
|
| I just think that for as much harm as the FBI historically
| caused, they've also busted enormous criminal rings and done a
| lot to reduce organized crime. I genuinely think Americans
| would be worse of without them, even with my bias as a leftist
| that typically loathes alphabet soup surviellance agencies.
| Doubtme wrote:
| Im just going to let you figure out this one for yourself.
| dang wrote:
| Please don't take HN threads further into flamewar. We're
| trying to avoid that here.
|
| https://news.ycombinator.com/newsguidelines.html
| yonaguska wrote:
| There was no reform after COINTELPRO.
|
| The FBI has known about nearly every mass shooter for the
| past 20 years, they've leaked numerous investigations and
| raids to the press for political reasons, they sit on
| evidence for political reasons, they target domestic
| journalists for political reasons, they lied to FISA courts
| for political reasons, and they've been sitting on
| exculpatory evidence for political reasons, they've been
| sicced on parents at school boards for political reasons.
|
| I'll let you figure this one out for yourself.
| tata71 wrote:
| No idea what the other commenter was alluding to...
| twofornone wrote:
| They did allegedly just raid a politically opposed
| journalistic outlet and leak confidential reporter's
| notes to NYT, which is sort of illegal. Can anyone
| explain why Biden's daughter's stolen diary, which PV
| obtained _and gave back_ , is grounds for an FBI search
| warrant?
|
| https://news.ycombinator.com/item?id=29210285
| astronautjones wrote:
| calling that guy a journalist is hilariously
| disingenuous. the guy that has been caught doctoring and
| falsely editing literally everything that he has
| produced?
|
| He's catering to an audience of hateful people that can't
| even eat breakfast without it being in bad faith. He is
| weeks away from an expose telling you that actually the
| confederacy landed on the moon first.
|
| Being a contrarian fool that argues blindly without
| accepting or understanding reality and context is de
| rigueur on this website, it's disgusting
|
| and telling as to why the industry is so self-serving and
| fraud-ridden
| twofornone wrote:
| > the guy that has been caught doctoring and falsely
| editing literally everything that he has produced?
|
| I don't know what to tell you, that's a lie. Even if he
| had published misleading or false statements in the past,
| that does not imply that everything out of PV is false,
| as convenient as such a belief may be for supporters of
| the establishment.
|
| >He's catering to an audience of hateful people that
| can't even eat breakfast without it being in bad faith.
| He is weeks away from an expose telling you that actually
| the confederacy landed on the moon first.
|
| Dissent is not hateful. Leaning right is not hateful. You
| are stereotyping, writing off everyone on the other side
| based on the beliefs of an extreme minority. The same
| logic could be applied to the left at large and it would
| be just as dishonest.
|
| >Being a contrarian fool that argues blindly without
| accepting or understanding reality and context is de
| rigueur on this website, it's disgusting
|
| As opposed to blindly following groupthink because your
| "authoritative sources" have unquestioningly quoted
| experts with blatant political and financial conflicts of
| interest? Please. Tell me, where are the journalists
| looking into e.g. ties between pfizer and the FDA?
| Regulatory capture is no secret. The partisan hate that
| PV gets is totally unwarranted, its a cheap, straw
| grasping dismissal of opposition.
|
| This leaked diary is an excellent example, by the way.
| Though PV did not leak the contents, someone else did,
| and there are images of pages detailing Ashley's
| potential molestation by her father. If our media had a
| semblance of objectivity that would be a huge story - and
| apparently if the FBI is raiding PV over the diary (for
| which there is absolutely no justification, beyond party
| politics), the diary must be authentic. Hunter Biden's
| laptop was another example of mass collusion by partisan
| media - regardless of how you feel about the situation,
| images of a presidential candidate's son smoking crack
| with prostitutes is huge news. PV was one of the few
| outlets willing to touch it.
|
| In any case, that you may think O'Keefe is biased does
| not imply that he is not in fact a journalist; unless you
| are willing to be consistent and acknowledge that the
| blatant activism that has replaced journalism in
| mainstream media also disqualifies them from identifying
| as journalists. This is what dissent looks like.
| razakel wrote:
| Never heard of the boy who cried wolf, then?
|
| The serial liar is probably lying. If he had anything of
| substance then he should pass it to someone with
| credibility.
|
| Or, more likely, this is Hunter Biden's laptop, which
| disappeared once there was literally no substance.
| twofornone wrote:
| The boy who cried wolf alludes to a _heuristic_ , not
| carte blanche to disregard media outlets you don't like.
|
| And I would argue that dozens of images of the son of a
| presidential candidate partying with prostitutes and a
| crack pipe is indeed substance - regardless, the
| coordinated refusal to report negative information
| regarding their preferred party should make you at least
| as concerned about selective reporting as you are about
| PV. It is blatant evidence of partisanship, propaganda,
| and the same sort of election influencing collusion that
| trump and russia were accused of. Conveniently off of a
| false report as has recently come out - is that enough
| for you to start disregarding MSM outlets now? Clearly
| there wasn't even an _attempt_ to investigate the steele
| dossier on the part of the propagandists you so blindly
| trust. Crying wolf indeed.
| amadeuspagel wrote:
| > He's catering to an audience of hateful people that
| can't even eat breakfast without it being in bad faith.
|
| This sounds like a parody of an accusation of bad faith.
| If some people can't even eat breakfast without being
| accused of acting in bad faith, that says more about the
| people making the accusation.
| geofft wrote:
| I am guessing "Anyone who gets seriously close to
| threatening the FBI's existence will get extrajudicially
| prevented from doing so"?
|
| For a lawmaker, you don't even have to do anything
| legally or (particularly) morally questionable like
| killing them - just entrap them and have them lose their
| jobs. https://en.wikipedia.org/wiki/Abscam
| RNCTX wrote:
| If you do catch them and it's too public to go after you
| for retribution, they'll sell a federal judiciary seat to
| someone willing to erase it.
|
| One of Trump's 2017 judicial appointments in the ND of
| Texas dismissed the civil suit against the FBI, DOJ, and
| Comey by name for organizing the "ISIS" mass shooting in
| Garland, TX in 2015. We know they organized it because
| local cops caught an undercover in the parking lot _who
| was waiting on the shooters to arrive_. [1] He had to
| identify himself as undercover to stop the local cops
| from shooting him. [2] A security guard who was shot in
| the incident brought the civil suit against the feds,
| discovery produced text messages showing the same
| undercover FBI agent giving the shooters instructions.
| The FBI also had to remove flags from databases so the
| shooters could pass background checks for gun purchases.
|
| And before anyone falls for the knee-jerk tendency of
| thinking one political party is different from the other,
| the judge who dismissed the case on her first day was a
| stalled Obama appointment to the same seat before she was
| a Trump appointment confirmed for that seat. And the
| person who blew the whistle on the FBI paying people to
| recruit and train domestic "terrorists" said they began
| doing so when Obama took office in 2009.
|
| 1. https://www.azcentral.com/story/news/local/phoenix/201
| 7/02/1...
|
| 2. https://www.cbsnews.com/news/terrorism-in-garland-
| texas-what...
| nosefrog wrote:
| Extraordinary claims require extraordinary evidence, and
| most of what you've stated are not supported by your
| links.
| [deleted]
| tumblewit wrote:
| There is this line from Michael Clayton movie that I basically
| assume every time I see something like this 'client:(phone rings)
| That's the police isn't it? MC: No, they don't call.' Or in this
| case, they don't email.
| capableweb wrote:
| Not this holds up, in this case they would most likely call you
| and either tell you over the phone, or setup the meeting over
| the phone.
| killingtime74 wrote:
| Would the FBI not establish first contact by mail, in person or
| at least on the phone? What kind of common sense thinks this is
| legit.
| pedro2 wrote:
| The news here is the headers look good.
| sterlind wrote:
| The hackers have the ability to originate legit emails from
| ic.fbi.gov and they blow it on a spammy phishing campaign
| with broken English? what a waste..
| 3np wrote:
| It doesn't even seem like phishing; there's no contact info
| and the sender bounces in a way that seems like it doesn't
| go to the one who sent it.
|
| Is it general FUD (eroding FBI legitimacy) or a smear
| campaign against Vinny Troia..?
|
| EDIT: Or it's a diversion of attention; there's something
| else going on somewhere else that they want to go
| unnoticed.
| jazzyjackson wrote:
| vinny troia himself washing out the google results for
| his name?
| not1ofU wrote:
| never heard of him before, but after a few minutes
| digging, I tend to agree.
| madaxe_again wrote:
| Sounds about right. A blue chip I work with had a
| successful phish against them - the attacker ended up with
| access to the email inbox of an HR person.
|
| So they tried basic, stupid 419 type scams, with broken
| English.
|
| They could have pried the entire org wide open - she had
| masses of private data in her inbox, enough to impersonate
| or social engineer your way to anywhere.
|
| But instead, they blew it - and blew it so badly the client
| spent days investigating what this could have been a
| distraction for, as they pretty much couldn't believe their
| luck at the minimal severity of the attack.
|
| It's like breaking into the federal reserve, thinking it's
| a 7/11, and then stealing the ballpoint pens from the
| cashiers desks.
|
| Either way, it was a helpful experience for them - a
| vaccination against further stupidity, and they all of a
| sudden started engaging on their ISMS with gusto and
| panache.
| notahacker wrote:
| The other episode that springs to mind is the hackers who
| managed to compromise the Twitter accounts of the likes
| of Obama and Elon Musk, but used it to promote a shitty
| Bitcoin gifting scam, which netted them an easily traced
| $100k and a prison sentence. Probably the scammers
| promoting the same sort of scheme in the comments with
| legal fake accounts make more money
| jazzyjackson wrote:
| i've heard it said, "if criminals were any smarter they
| wouldn't be criminals" - but of course its a selection
| bias because smart criminals don't get caught, you only
| hear about the dumb ones
| mark-r wrote:
| If you work with police, you'll hear no end of dumb
| criminal stories. My favorite was the guy who coated his
| fingers with glue so he wouldn't leave fingerprints at
| the scene - then peeled off the glue and dropped the
| peelings in the trash on his way out. Leaving perfect
| fingerprints.
| LeonM wrote:
| Except that the OP did not post all the information to
| verify.
|
| The IP address does belong to the fbi.gov (both forward and
| reverse DNS lookups check out).
|
| The DKIM public key does exist at the given selector [0], but
| without the complete raw message, it is not possible to
| verify the signature. He also excluded the authentication-
| result header from his post.
|
| [0] https://www.mailhardener.com/tools/dkim-
| validator?domain=cji...
| londons_explore wrote:
| > Except that the OP did not post all the information to
| verify.
|
| A few other people on that thread got the same mail and did
| verify it. Either they're all sockpuppets or it verifies.
| [deleted]
| rybosworld wrote:
| Seems like an attempt to embarrass the FBI?
| buro9 wrote:
| The FBI don't provide information like this in an email and will
| speak to you first.
|
| This is bogus, delete it.
| londons_explore wrote:
| The dkim header signature is correct. It means it really is
| from an FBI server.
| buro9 wrote:
| But still... the FBI don't speak to you like this and
| wouldn't overprovide information like this.
|
| The only time I've seen the FBI talk like this is when they
| already have a trusted relationship with you and an open
| channel and they're off the record.
|
| Just because a server is coerced into sending an email that
| is signed, it does not mean it is from the FBI.
| lordofgibbons wrote:
| The point here isn't whether this is real or fake. The news
| is that someone is able to impersonate an email as coming
| from the FBI with all of the correct email headers with
| dkim signing. I'm speculating here, but this probably means
| they might have control of one of the FBI subdomains
| hericium wrote:
| How can you tell without all the headers mentioned in DKIM-
| Signature?
| PaulHoule wrote:
| They probably want you to send them money with a gift card, watch
| out! Real thugs use Bitcoin.
| [deleted]
| dsukhin wrote:
| The email domain where the messages originate is from some sort
| of federated identity management system that was created in 2010
| (here is a proposal deck [0] with technical details). Found this
| program simply by searching Google for the sending domain.
|
| Based on the guide for using this system [1] (see step 15) looks
| like this specific email address is the one that sends automated
| confirmation emails upon registration. Perhaps someone was able
| to inject a message instead of the regular canned text through
| some sort of reflection attack? This explains why replies to the
| message result in a canned response. The system also now appears
| to be temporarily down. So it's getting some sort of attention
| (internally taken down (most likely) or maybe denial of service
| from the abuse).
|
| The Reddit thread suggests the recipients' emails are likely ARIN
| IP range contacts. Those are very available from tools like this
| [2] so nothing interesting with that, but the real question is
| WHY someone would do this at all? This was clearly given some
| thought (on who to send this to who would actually take the time
| to verify the headers) but given the sloppiness of everything
| else, is this just a script kiddie flex? Whoever it is pissed off
| the FBI and gained absolutely nothing.
|
| [0]
| https://bja.ojp.gov/sites/g/files/xyckuh186/files/media/docu...
|
| [1] https://www.justice.gov/tribal/page/file/1260671/download
|
| [2] http://itools.com/tool/arin-whois-domain-search
| technion wrote:
| Awesome. A guide written in 2019 from the FBI that suggests
| Internet Explorer.
| havkd wrote:
| What's wrong with internet explorer? It's still in active
| support.
| Aeolun wrote:
| I think the problem is that you have to clarify it's still
| in active support
| havkd wrote:
| So you're against LTS releases I suppose?
| hollander wrote:
| 2001 called - either you're with us or you're against us.
| tata71 wrote:
| Depends which one you use, how many years out of security
| updates is your openssh package...?
| bogwog wrote:
| Where have you been for the past 20 years? Amish country?
| Because there weren't many other places to take shelter
| from the horrors of IE.
| technion wrote:
| It's actively supported by a company who themselves
| recommend against it and described its use as technical
| debt (in 2019)
|
| https://techcommunity.microsoft.com/t5/windows-it-pro-
| blog/t...
| Wowfunhappy wrote:
| They didn't say not to use IE, just to restrict IE's use
| to specific applications where it's needed. The FBI has
| technical debt too!
| throwaway743 wrote:
| You must be trolling
| tata71 wrote:
| What site is this?, wow
| msisk6 wrote:
| Yep, as late as earlier this year there's a ton of stuff
| inside the DHS that still requires IE and flash.
| fortran77 wrote:
| I would assume they're recommending Edge now. We switched
| from IE to Edge around that time; and our company is very
| security conscious because of our clients.
| RNCTX wrote:
| I would assume you're wrong. I don't think you appreciate
| how many government websites run ancient software sold to
| them by a politician's cousin, who thinks even having a
| developer on staff is a waste of money.
| throwaway743 wrote:
| They also run ancient shit that was promoted internally.
| Not to mention how many sites/tools are outsourced to
| vendors who then outsource development to foreign
| development vendors.
|
| To clarify, this is concerning from a security standpoint
| and is not out of xenophobic bigotry.
| jerry1979 wrote:
| The twitter link[0] posted in another thread appears to show a
| copy of the attacker's email. It looks like the attacker sent
| the email in a bid to lay down psychological cover fire in
| order to get sysadmins to work with an attacker who would
| identify themselves as "TheDarkOverlord".
|
| [0]
| https://twitter.com/spamhaus/status/1459452609979371520/phot...
| tyingq wrote:
| _" Enter your official business email address...Do not use
| hyphens or dashes in the social security number (SSN#) and Date
| of Birth fields....Enter your employer's information in the
| "Employer" fields"_
|
| Oh, fun. Connected to a treasure trove of LEO personal info.
| buzer wrote:
| > The Reddit thread suggests the recipients' emails are likely
| ARIN IP range contacts.
|
| It's likely multiple different sources. I just noticed I got it
| as well on my personal email (which has custom domain) and I
| don't own any IP ranges.
| _jal wrote:
| Yeah, I got it to two accounts I use with ARIN, as well as
| another that is confusing me.
|
| That one is not very old, I know I have the entire outbound
| history for it, and have not used it for ARIN or anything
| similar.
| enkid wrote:
| It could be the Russians trying to make the FBI look
| incompetent and make people trust the government less.
| macinjosh wrote:
| Oh no! Best check under the bed and in the closet for those
| dang ruskies /s
| RhodesianHunter wrote:
| What's the point of comments like this? Do you honestly not
| believe that Russia enlists hackers to poke at the seams in
| the US?
| boomboomsubban wrote:
| >Do you honestly not believe that Russia enlists hackers
| to poke at the seams in the US?
|
| No, but I believe you should have some evidence before
| you start accusing them. Otherwise it is very much the
| "blame Russia" type comment that poster was mocking.
| chayleaf wrote:
| Not the OP, but, well, just as it could've been Russians,
| it could be North Koreans, Chinese, or anyone else. As a
| Russian, the comment just seemed unnecessary, though I'm
| obviously biased.
| boomboomsubban wrote:
| The Russians would likely try to exploit such an e-mail to
| gain something more tangible or if their goal was to make the
| FBI look inept they would send the message to a much wider
| audience.
| pangolinplayer wrote:
| Done and done.
| [deleted]
| hungryforcodes wrote:
| From the Reddit thread: "got it too. i called the FBI helpdesk
| and they are getting flooded with calls..."
|
| I mean as a spammer (or whateveer) do you REALLY want to piss off
| the FBI like that?
| LogonType10 wrote:
| If you're in a former USSR state there's nothing they can do to
| you.
| sennight wrote:
| What are they gonna do in response, bankroll somebody to say
| they have a tape of Russian hookers peeing on you? The FBI is
| famously inept at anything beyond questionably legal political
| games, so much so that the Secret Service was in charge of
| enforcing telecommunications related law for the longest time.
| pangolinplayer wrote:
| True
| rwbhn wrote:
| Misdirection? Loud noise here - actual attack somewhere else?
| jazzyjackson wrote:
| or shake the machine and see what falls out - watch the
| access logs to find what individuals have the power to
| respond, target them for further spearfishing
| [deleted]
| redm wrote:
| This Newsweek article has a pretty good breakdown:
|
| "The Federal Bureau of Investigation (FBI) email system had
| reportedly suffered a hack on Saturday morning amid several
| reports of messages sent from the agency's email infrastructure
| purporting to be a warning from the Department of Homeland
| Security (DHS) about a cyberattack." [1]
|
| "The Spamhaus Project, an international nonprofit organization
| based in Andorra and Switzerland that tracks spam, reported on
| Twitter that its analysis had shown the unusual emails are being
| sent from accounts "scraped" from the American Registry for
| Internet Numbers (ARIN) database." [1]
|
| "Our telemetry indicates that there were two 'spam' waves, one
| shortly before 5 AM (UTC) [12.am. E.T.] and another one shortly
| after 7 AM (UTC) [2a.m. E.T.]. The FBI has been getting many
| calls about it. We are therefore refraining from further actions
| against the sending IP addresses." [1]
|
| [1] https://www.newsweek.com/fbi-email-system-reportedly-
| hacked-...
| xhkkffbf wrote:
| I hate to say it, but if I were to get an email from "fbi.gov", I
| would assume it belongs in the same pile as the great offers from
| that Nigerian prince. Even if I look at the headers, I wouldn't
| be convinced.
|
| Perhaps we should try harder to create a public key
| infrastructure for email.
| ClumsyPilot wrote:
| The fact that we can trust government communication about as
| much as messages from a Nigerian prince gets us a step closer
| to the kind of society that produces them.
| JKCalhoun wrote:
| Yeah, I would ignore an email like that. If it's so important to
| the (legitimate) FBI, they can make a house call.
|
| They know where I live, right?
| spzb wrote:
| > While the emails are indeed being sent from infrastructure that
| is owned by the FBI/DHS
|
| Well, that's reassuring
| bell-cot wrote:
| First reaction - if $Legit_and_Competent_Group believes that a
| bunch of my infrastructure is compromised, then why the h*ll
| would they alert me via e-mail? Especially an e-mail full of
| sensitive details, which has a fair chance of being read by the
| attackers first.
| IAmGraydon wrote:
| Lots of people commenting that the text of the email seems
| amateurish. Perhaps it's exactly as it should be, but you don't
| understand its purpose. Maybe they wanted this to be discussed on
| netsec forums everywhere, so that Google searches for "Vinny
| Troia" always lead back to discussion about this email, framing
| him as a cyber criminal and outranking legitimate posts about or
| by him - an online identity assassination. They needed the email
| to set off some alarm bells so that it would pique enough
| interest to be widely discussed. They appear to have widely
| targeted the email addresses of system admins. I'm fairly certain
| this was their intention.
|
| Also, does it strike anyone else as odd that the account that
| posted this to HN was created hours ago, for the sole purpose of
| starting this thread?
| oefrha wrote:
| > does it strike anyone else as odd that the account that
| posted this to HN was created hours ago, for the sole purpose
| of starting this thread?
|
| That is not odd. I also use throwaways to post potentially
| sensitive information, or information that might rub powerful
| institutions the wrong way.
|
| The rest of your post is within the realms of reason.
| chillingeffect wrote:
| Don't know of Vinny, but if he's a security guy, maybe one of
| his colleagues is pranking him? My college buddies did this
| kind of stuff to one another. They would die laughing at
| finding a way to legit send spam through the fbi.
| agency wrote:
| Love to commit high profile cyber crime that could land me in
| prison, as a prank.
| bink wrote:
| If this is (as it appears it might be) simply a reflection
| attack of some sort, I'm not sure what crime could've been
| committed. Or at least what computer crime could've been
| committed. Impersonating a federal official is about the
| only thing I can think of.
| [deleted]
| sodality2 wrote:
| This would get the book thrown at you in _any_ court of
| law. Hacking FBI email servers is what happened. The IP
| and subdomain are FBI.
| VRay wrote:
| I want to live in the techno-libertarian Utopia you think
| this is
| kelnos wrote:
| Like it or not, this seems like a pretty easy CFAA case.
| Sending email through a server you're not permitted to
| access sounds like it would constitute a CFAA violation.
| [deleted]
| blamazon wrote:
| If you look at Vinny Troia's YouTube channel, he gave a media
| interview regarding members of "TheDarkOrder" being arrested
| for ransomware.
|
| One potential explanation is that this is retaliation for same.
| sodality2 wrote:
| It's gotta be retaliation. See these reports about
| TheDarkOverlord that Vinny Troia has released:
|
| https://nightlion.com/blog/2021/infographic-
| thedarkoverlord-...
|
| https://nightlion.com/blog/2021/infographic-
| thedarkoverlord-...
| [deleted]
| fortran77 wrote:
| I can think of one very good purpose for this message:
|
| To publicly demonstrate that an FBI expert witness's "proof" of
| an email's authenticity at a criminal trial may not be all that
| reliable.
| feefree-cc wrote:
| We received and forwarded to various groups at FBI and DHS at the
| onset. The running theory here is IPv6 to iPv4 routing is the
| problem with this incident. Generic and trusted config as where
| any ipv6 arbitrarily "just works" to a trusted IPv4 block with
| existing rules. Most IPv6 implementations do not have the detail
| scrutiny in firewall rules to prevent or filter, and IDS this
| type of thing from happening.
| bink wrote:
| > Most IPv6 implementations do not have the detail scrutiny in
| firewall rules to prevent or filter, and IDS this type of thing
| from happening.
|
| This sentence is nonsensical. Any firewall that will pass IPv6
| can understand IPv6 enough to block it. And no firewall will
| default open for IPv6.
|
| The same goes for any IDS made in the last 15 years. But
| regardless, IDS doesn't block anything, it only detects (and
| likely wouldn't trigger solely on sending an email).
___________________________________________________________________
(page generated 2021-11-13 23:01 UTC)