Hundreds of thousands of fake warnings of cyberattacks sent from a hacked FBI email server
Threat actors hacked email servers of the FBI to distribute spam email impersonating FBI warnings of fake cyberattacks.
The email servers of the FBI were hacked to distribute spam email impersonating the Department of Homeland Security (DHS) warnings of fake sophisticated chain attacks from an advanced threat actor. The message tells the recipients that their network has been breached and that the threat actor has stolen their data.
“Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough multiple global accelerators. We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverlord” reads the message.
Curiously, the fake emails claim that the attack was carried out by a threat actor known as Vinny Troia, who but Troia i is the head of security research of threat intelligence firms NightLion and Shadowbyte.
The international nonprofit organization Spamhaus Project that monitors spam campaigns warned of emails that purport to come from the FBI/DHS. The fake warnings are apparently being sent to addresses scraped from ARIN database.
We have been made aware of “scary” emails sent in the last few hours that purport to come from the FBI/DHS. While the emails are indeed being sent from infrastructure that is owned by the FBI/DHS (the LEEP portal), our research shows that these emails *are* fake.
— Spamhaus (@spamhaus) November 13, 2021
These emails look like this:
Sending IP: 153.31.119.142 (https://t.co/En06mMbR88)
From: eims@ic.fbi.gov
Subject: Urgent: Threat actor in systems pic.twitter.com/NuojpnWNLh— Spamhaus (@spamhaus) November 13, 2021
The fake emails were sent from the IP address 153.31.119.142 (mx-east-ic.fbi.gov), the sender appears to be the Federal Bureau of Investigation’s Law Enforcement Enterprise Portal (LEEP) (eims@ic.fbi.gov).
Vinny Troia blamed a threat actor known as “pompomourin,” as the author of the attack.
Wow I can’t imagine who would be behind this. #thedarkoverlord aka @pompompur_in https://t.co/Xd6XoZNRnl
— Vinny Troia, PhD (@vinnytroia) November 13, 2021
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine