Federal Bureau of Investigation email servers were compromised and then used to send fraudulent messages mimicking FBI warnings that the recipient’s systems were breached and data was stolen.
The emails came from a legitimate FBI email address, firstname.lastname@example.org. The subject read “Urgent: Threat actor in systems.” All emails came from the FBI’s IP address 22.214.171.124 (mx-east-ic.fbi.gov). This lent a significant amount of credibility to the messages. The body of the message reads:
Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough multiple global accelerators. We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverlord, We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure.
U.S. Department of Homeland Security | Cyber Threat Detection and Analysis | Network Analysis Group
The emails falsely claim that “a sophisticated chain attack” was carried out by Vinny Troia, a security researcher. The spam appears to be an attempt to smear him. Troia has suggested that the spam messages are the work of “pompompurin,” a self-described “threat actor on the internet.” The two have been part of an ongoing feud. “The last time they [pompompurin]hacked the national center for missing children’s we site (sic) blog and put up a post about me being a pedophile,” Troia claimed. A few hours before the spam campaign began, pompompurin contacted Troia with a one word message: “enjoy.”
According to the FBI, a misconfiguration on the Law Enforcement Enterprise Portal (LEEP) allowed the attacker to send fake emails. The vulnerability was remediated shortly after the FBI became aware of the incident. No data was compromised or PII stolen as a result of this incident.
If you receive questionable or suspicious emails, contact IT Customer Care and allow the University Information Security Office (UISO) to validate the legitimacy of these emails.
You may also report potential phishing and malicious emails with one click from your Fordham Gmail safely and in real-time with the Cofense Reporter Gmail add-on. You can learn more about Cofense here: https://itsecurity.blog.fordham.edu/2018/10/04/introducing-cofense-reporter/