Hacker hits FBI’s web portal and sends 100,000 spam emails

The Federal Bureau of Investigation (FBI) has suffered a hack on their Law Enforcement Enterprise Portal (LEEP) web portal, a gateway giving law enforcement agencies, criminal justice entities and intelligence groups access to additional resources, that has allowed a threat actor to send over 100,000 spam emails using a real FBI address. 

The FBI released a statement on Saturday that they “and CISA are aware of the incident this morning involving fake emails from an @ic.fbi.gov email account” and that “The impacted hardware was taken offline quickly upon discovery of the issue”.  

The agency further stated in an update “a software misconfiguration” which had “allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails”, but they had “quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks”. 

The FBI assured the public that “No actor was able to access or compromise any data or PII on the FBI’s network”. 

The spam emails 

The spam emails were initially picked up by Spamhaus, an international spam-tracking organisation based in Andorra, and shortly confirmed to be spam. Spamhaus further confirmed that it had detected “two spikes caused by the fake warning last night” when analysing the FBI mailserver. 

The spam emails claim that FBI “intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack” and that FBI would take 4 hours to interfere, which “could be enough time to cause severe damage to your infrastructure”. 

The spam emails had multiple spelling and grammatical mistakes, as well as using a collection of improperly-used and nonsensical jargon that may fool a non-technical layman, including “fastflux technologies” that are proxied “trough multiple global accelerators”, and were signed off as the U.S. Department of Homeland Security's Cyber Threat Detection and Analysis Group in spite of it not existing for the past two years. 

In regards to these emails, the FBI has encouraged “the public to be cautious of unknown senders and urge you to report suspicious activity” to either ic3.gov or cisa.gov. 

Identity of threat actor 

The emails claim that Vinny Troia, a cyber security researcher, was responsible for the non-existent cyber attack, stating that he is linked to a supposed “extortion gang” called “TheDark0verlord”. Mr Troia is seemingly often blamed for minor website defacements and general cyber mischief as an ongoing meme in some hacking circles.  

Mr Troia, himself, was previously also caught up in controversy in 2018 regarding how he handled data and engaged threat actors, which seems to have fed this meme. 

Mr Troia tweeted in response that alleged a Twitter account using the handle @pompompur_in was responsible for the spam emails. He posted screenshots of messages recently exchanged between the two, including one where @pompompur was seemingly irritated at Mr Troia for gaining at least 200 followers since the cyber event. 

In addition, Mr Troia has claimed that he had received “a precursor to the @FBI spam attack”, however this tweet actually came an hour after the spam attack and appears benign. 

When Sky News reached out to the user of the @pompompur_in account regarding the allegation, the user confirmed they were involved in the FBI web portal spam by saying: “I was”. When asked if they had any concerns about the reaction from law enforcement due to this FBI spam attack, the threat actor told Sky News that “It was inevitable that they would come after me one day”. 

The exploit 

The apparent threat actor, going by Pompompurin, stated the motive behind the hack was to show a glaring vulnerability in the FBI’s system to do with bad coding in an interview with KrebsOnSecurity. Essentially, the LEEP portal allowed anyone to apply for an account and step-by-step instructions for registering a new account on the LEEP portal are available on the DOJ’s website. 

Notably, Step 1 of the instructions state that users should visit the site in Microsoft’s Internet Explorer, an outdated web browser that is reaching its end of life in June 2022 and use has been actively discouraged by Microsoft in recent years. 

After filling out forms with the applicant’s personal and contact details as well as their organisation, applicants receive an email confirmation from [email protected] with a one-time passcode. However, according to Pompompurin, the FBI’s website would leak the passcode in the HTML code of the web page. 

Apparently, the hack was made possible due to unsanitised parameters. The threat actor claimed “when you requested the confirmation code [it] was generated client-side, then sent to you via a POST Request” and “This post request includes the parameters for the email subject and body content”. From there, a simple script could replace the parameters with a new message of the threat actors choosing in the subject and body as well as automate the sending of the message to numerous email addresses. 

The threat actor also acknowledged how this vulnerability could have been leveraged to perform phishing attacks, saying “I could’ve 1000% used this to send more legit looking emails, trick companies into handing over data” and that it “would’ve never been found by anyone who would responsibly disclose, due to the notice the feds have on their website”. 

Calling the vulnerability “a horrible thing to be seeing on any website”, the threat actor stated that he’d never seen it “on a government website, let alone one managed by the FBI” before.