What just happened? An email warning of a complex cyber attack was recently found to be a hoax carried out using real FBI servers. The Spamhaus Project, an international organization that provides cyber threat support to companies and law enforcement agencies worldwide, identified several thousand emails delivered across multiple waves early Saturday morning. The organization's researchers and analysts believe these messages are only a small part of a larger attack.
The fraudulent messages appeared to be sent from the FBI's Law Enforcement Enterprise Portal using a valid FBI email address. Spamhaus Project analysts verified the origin was indeed from the Bureau's servers, citing both the actual IP used and the email header information included in the message. The fake warning, sent to legitimate addresses taken from the nonprofit American Registry for Internet Numbers (ARIN) database, is believed to have reached at least 100,000 valid recipients.
While the message did not appear to include a malicious payload, it wasted no time in attempting to frame a prominent cybersecurity expert for the event. Vinny Troia, Ph.D., the founder of the dark web intelligence company Shadowbyte, was named the threat actor behind the fake attack. It's not the first time this type of attack has targeted him. In another recent incident involving the National Center for Missing Children's site, an attacker accessed the site's blog and left a post accusing Troia of being a pedophile.
These emails look like this:
--- Spamhaus (@spamhaus) November 13, 2021
Sending IP: 153.31.119.142 (https://t.co/En06mMbR88)
From: eims@ic.fbi.gov
Subject: Urgent: Threat actor in systems pic.twitter.com/NuojpnWNLh
The FBI released a statement to BleepingComputer indicating that no additional information is available at this time but urges recipients to report suspicious activity when identified.
"The FBI and CISA are aware of the incident this morning involving fake emails from an @ic.fbi.gov email account. This is an ongoing situation and we are not able to provide any additional information at this time. We continue to encourage the public to be cautious of unknown senders and urge you to report suspicious activity to www.ic3.gov or www.cisa.gov."
The attack appears to be one more in a string carried out by an individual (or group) that goes by the name "pompompurin." Screenshots posted to Troia's social media account back his previous claims that he typically receives messages before any attack or attempt to discredit his reputation. In addition to this latest incident, Troia has been the constant target of the RaidForums hacking community, which has conducted several similar attacks in the past to deface websites and damage Troia's credibility.
Image credit: Spamhaus