If one were to gain illicit access to the Federal Bureau of Investigation’s email servers, there are countless more valuable possibilities than using it to make fun of a particular cybersecurity researcher. But that is exactly what appeared to happen last week, as a blast of thousands of fake emails from ic.fbi.gov named security professional and author Vinny Troia as a member of TheDarkOverlord hacking group and the perpetrator of a botnet attack.
The initial explanation was that it was an ethical hacker having some fun pointing out a flaw in a law enforcement enterprise portal. However, after some further digging, Troy believes that he knows the identity of the hacker and that he is the owner of a “white hat” security service by day. By night, Troia claims the hacker is also affiliated with several different criminal groups and has used them to drum up business for his firm.
Fake emails from FBI only the beginning of a strange story
This bizarre story begins on the night of November 12, when the email@example.com email address blasted out thousands of email warning recipients about a “sophisticated chain attack” using “fastflux technologies” and “global accelerators.” While the content of the fake emails turned out to be nonsense, it was quickly verified that they were coming from a legitimate account at the FBI’s Criminal Justice Information Services division (CJIS).
KrebsOnSecurity was contacted shortly after by a hacker going by the name “pompompurin,” who took responsibility for the fake emails. The hacker said the attack was meant to point out a serious security flaw they had discovered in an intra-agency portal primarily used by the nation’s federal and local law enforcement agencies to share information.
The exploit was apparently not a sophisticated one. The portal had been set up to allow anyone to apply for an account. Applicants were expected to go through a screening process involving submitting personal information, but pompompurin found that a validation code was being leaked in the HTML code of the webpage. This allowed an attacker to send messages from “firstname.lastname@example.org”, the validation address, with just a little tweaking of the email’s fields.
Paul Laudanski, Head of Threat Intelligence at Tessian, elaborates on how the fake emails were sent: “Analyzing publicly available DNS records, Tessian Research found that the Sender Policy Framework (SPF) record – which helps identify the mail servers that can send emails from any given domain – for the fbi.gov domain allows for all 65,000+ IP addresses that the FBI owns to legitimately send emails on its behalf. This means that had the FBI’s SPF records been more restricted, the compromised machine would probably have been observed as an SPF Fail, instead of an SPF Pass for receiving organizations that make use of this. Any organization that is not an email provider should restrict its allowed senders list, but for now, this is academic because of the huge list of IP addresses that the FBI permits to send emails on its behalf. In addition to the wide list of SPF records, bad actors took advantage of a vulnerability within the website itself, and in exploiting it, attempted to harm the FBI’s brand more than anything… Legitimate cybersecurity alerts from the FBI typically list indicators of compromise, discuss TTPs and provide tips for organizations to protect themselves. These fake emails sent to 100,000 users did not follow any of those standards, and also contained spelling mistakes, which is often a tell-tale sign of a scam email. ”
That might end the story of the fake emails were it not for the seemingly gratuitous involvement of Vinny Troia, founder of security firms NightLion and Shadowbyte and author of the book “Hunting Cyber Criminals.” Troy built his reputation in part by investigating and exposing a number of criminal hacking groups that traffic on the dark web, including Dark Overlord and Shiny Hunters. Dark Overlord is infamous for extorting a number of major companies including Disney and Netflix, and Shiny Hunters is thought to be an offshoot group and has stolen source code and user records from Microsoft and Mashable among other big-name targets.
Security expert thinks hacker is playing both sides of the fence
Posting at the Shadowbyte blog, Troia lays out his case for believing that he knows the identity of pompompurin and that the fake emails were some sort of retribution or taunting for the work he described in “Hunting Cyber Criminals.”
Troia says that pompompurin messaged him just ahead of the launch of the fake emails, something the hacker had done before prior to issuing a fake blog post from the National Center for Missing and Exploited Children naming Troia as a child abuser. Troia says that pompompurin targeted him a number of times prior to this, with DDoS attacks on his website and a takeover of his Twitter account.
Troia believes that pompompurin is in reality Christopher Meunier, a 22 year old from Calgary whom Troia has previously fingered as the ringleader of Dark Overlords and Shiny Hunters among other underground groups. Meunier is also the head of WhitePacket, a self-advertised “white hat” security firm that Troia believes has swept in to undo damage directly caused by Meunier’s illicit efforts.
One of Troia’s central pieces of evidence is that WhitePacket.com shares an IP address with another domain (og.money) that has been used to host pompompurin’s stolen data. He also cites conversations that contain information about a mutual acquaintance that pompompurin could not have known without being Meunier.
Pompompurin, who maintains an active Twitter account, denies the allegations and claims to have his own proof that he cannot possibly be associated with Whitepacket. The spat may ultimately be irrelevant, as Troy acknowledges, as Canada’s extradition laws for cyber crimes would likely prevent the US from getting to any of its residents.
The FBI says that no data was compromised in the attack, and that the damage was limited to sending fake emails from one vulnerable account. The agency says it has remediated the software vulnerability.