Man using smartphone with email icons showing fake emails from FBI account

Fake Emails Sent From FBI Server Linked to “Ethical Hacker”; Security Researcher Accuses Him of Secret Double Life as a “Black Hat” Criminal

If one were to gain illicit access to the Federal Bureau of Investigation’s email servers, there are countless more valuable possibilities than using it to make fun of a particular cybersecurity researcher. But that is exactly what appeared to happen last week, as a blast of thousands of fake emails from ic.fbi.gov named security professional and author Vinny Troia as a member of TheDarkOverlord hacking group and the perpetrator of a botnet attack.

The initial explanation was that it was an ethical hacker having some fun pointing out a flaw in a law enforcement enterprise portal. However, after some further digging, Troia believes that he knows the identity of the hacker and that he is the owner of a “white hat” security service by day. By night, Troia claims the hacker is also affiliated with several different criminal groups and has used them to drum up business for his firm.

Fake emails from FBI only the beginning of a strange story

This bizarre story begins on the night of November 12, when the eims@ic.fbi.gov email address blasted out thousands of emails warning recipients about a “sophisticated chain attack” using “fastflux technologies” and “global accelerators.” While the content of the fake emails turned out to be nonsense, it was quickly verified that they were coming from a legitimate account at the FBI’s Criminal Justice Information Services division (CJIS).

KrebsOnSecurity was contacted shortly after by a hacker going by the name “pompompurin,” who took responsibility for the fake emails. The hacker said the attack was meant to point out a serious security flaw they had discovered in an intra-agency portal primarily used by the nation’s federal and local law enforcement agencies to share information.

The exploit was apparently not a sophisticated one. The portal had been set up to allow anyone to apply for an account. Applicants were expected to go through a screening process involving submitting personal information, but pompompurin found that a validation code was being leaked in the HTML code of the webpage. This allowed an attacker to send messages from “eims@ic.fbi.gov”, the validation address, with just a little tweaking of the email’s fields.

Paul Laudanski, Head of Threat Intelligence at Tessian, elaborates on how the fake emails were sent: “Analyzing publicly available DNS records, Tessian Research found that the Sender Policy Framework (SPF) record – which helps identify the mail servers that can send emails from any given domain – for the fbi.gov domain allows for all 65,000+ IP addresses that the FBI owns to legitimately send emails on its behalf. This means that had the FBI’s SPF records been more restricted, the compromised machine would probably have been observed as an SPF Fail, instead of an SPF Pass for receiving organizations that make use of this. Any organization that is not an email provider should restrict its allowed senders list, but for now, this is academic because of the huge list of IP addresses that the FBI permits to send emails on its behalf. In addition to the wide list of SPF records, bad actors took advantage of a vulnerability within the website itself, and in exploiting it, attempted to harm the FBI’s brand more than anything … Legitimate cybersecurity alerts from the FBI typically list indicators of compromise, discuss TTPs and provide tips for organizations to protect themselves. These fake emails sent to 100,000 users did not follow any of those standards, and also contained spelling mistakes, which is often a tell-tale sign of a scam email.”

That might end the story of the fake emails were it not for the seemingly gratuitous involvement of Vinny Troia, founder of security firms NightLion and Shadowbyte and author of the book “Hunting Cyber Criminals.” Troia built his reputation in part by investigating and exposing a number of criminal hacking groups that traffic on the dark web, including Dark Overlord and Shiny Hunters. Dark Overlord is infamous for extorting a number of major companies including Disney and Netflix, and Shiny Hunters is thought to be an offshoot group and has stolen source code and user records from Microsoft and Mashable among other big-name targets.

Security expert thinks hacker is playing both sides of the fence

Posting at the Shadowbyte blog, Troia lays out his case for believing that he knows the identity of pompompurin and that the fake emails were some sort of retribution or taunting for the work he described in “Hunting Cyber Criminals.”

Troia says that pompompurin messaged him just ahead of the launch of the fake emails, something the hacker had done before prior to issuing a fake blog post from the National Center for Missing and Exploited Children naming Troia as a child abuser. Troia says that pompompurin targeted him a number of times prior to this, with DDoS attacks on his website and a takeover of his Twitter account.

Troia believes that pompompurin is in reality Christopher Meunier, a 22 year old from Calgary whom Troia has previously fingered as the ringleader of Dark Overlords and Shiny Hunters among other underground groups. Meunier is also the head of WhitePacket, a self-advertised “white hat” security firm that Troia believes has swept in to undo damage directly caused by Meunier’s illicit efforts.

One of Troia’s central pieces of evidence is that WhitePacket.com shares an IP address with another domain (og.money) that has been used to host pompompurin’s stolen data. He also cites conversations that contain information about a mutual acquaintance that pompompurin could not have known without being Meunier.

Pompompurin, who maintains an active Twitter account, denies the allegations and claims to have his own proof that he cannot possibly be associated with Whitepacket. The spat may ultimately be irrelevant, as Troia acknowledges, as Canada’s extradition laws for cyber crimes would likely prevent the US from getting to any of its residents.

Leaked validation code on intra-agency portal allowed attacked to send fake emails from a legitimate account at the FBI’s Criminal Justice Information Services division (CJIS). #cybersecurity #respectdataClick to Tweet

The FBI says that no data was compromised in the attack, and that the damage was limited to sending of the fake emails from the one vulnerable account. The agency says that it has remediated the software vulnerability.

 

Senior Correspondent at CPO Magazine