Thousands of people received fake emails from the FBI last week, after a hacker infiltrated their external email system – though no personal information was accessed during the attack.
The emails, which warn of a non-existent cyberattack, appear to come directly from the FBI, and it's likely that the hacker extracted the targeted addresses from an online database. Fortunately, no personal information was accessed or compromised during the attack – though the FBI has called the incident an "ongoing situation".
The Spamhaus Project shared one of the spam emails on Twitter and analyzed the metadata to determine that the hacker in question accessed the FBI's Law Enforcement Enterprise Portal (LEEP) to send the bogus communications.
LEEP is not a part of the FBI's corporate email service, and is instead used to communicate with state and local officials. In fact, the spam emails came from a server used to push LEEP notifications.
Thousands of addresses received fake emails – and it's likely that the hacker gathered some of these addresses from the American Registry for Internet Numbers database. The emails themselves warn recipients of an impending cyberattack, with a subject line taken directly from FBI infrastructure and a body of text overstuffed with technical language.
Fortunately, the FBI issued a brief statement claiming that the hacker did not access internal databases or agency networks, and did not compromise any state secrets or classified personal information.
Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.
Currently, the objective behind the attack remains unclear, as the emails themselves lack any discernible call to action, common in most phishing attempts – it has been theorized that the hacker may have discovered the LEEP vulnerability by chance.
The individual may have simply intended to impress underground groups of like-minded cybercriminals. Alternatively, though the vulnerability was not exploited for financial gain, it's possible that they used the fake emails as targeted smear tactics in response to a cybersecurity investigation.
The messages mention the Dark Overlord hacking group, infamous data thieves who often demand large ransoms, and claim that Vinny Troia is the "threat actor" (hacker/culprit). Troia, the founder of Night Lion Security, published detailed research on the criminal Dark Overlord gang in 2020 – and even exposed the identity of a hacker over the course of the report.
According to the FBI, the hardware impacted by the incident has been taken offline – and the Bureau also recommends that any suspicious emails be reported to ic3.gov or cisa.gov.
Once again, it's incredibly fortunate that no identifiable data was compromised or leveraged in successive cyberattacks – a hacker with access to a government email system could have abused the power to affect thousands of individuals, after all, and cybersecurity experts are now wondering why the FBI's LEEP portal was so easily infiltrated.
The incident also underlines the persistent threat of phishing, a scam often conducted via email that accounts for around 90% of all data breaches. An estimated 3.4 billion phishing emails are sent out each day, and the sheer volume of attacks increased by 20% in 2021.
These scams often leverage the names and reputations of well-known organizations, like the FBI and other government bodies, to scare victims into handing over their personal information or financial details.
The fault in our emails
Emails are, unfortunately, just not that secure – they weren't designed with privacy in mind, and cases like these further underscore that reality.
Sent emails are stored in plaintext on a server and, as such, we can only hope that our email providers and IT administrators don't decide to take a peek for themselves. There's no guarantee that emails containing sensitive information or vital financial or personal details will be kept safe in transit or at rest, and there's no way to recall sent emails, either.
Additionally, we now know that Google scans emails to collect information about its users and create detailed profiles – which are then used for advertising revenue, and can even be valuable to invasive (and data-hungry) agencies like the NSA.
The good news
There are reliable alternatives available, however, and plenty of security-minded email providers offer peace of mind and privacy in return for a small subscription fee.
These providers don't scan emails, don't serve heaps of advertisements, and utilize end-to-end encryption to keep user correspondences out of the hands of nosy providers, the NSA, and any opportunistic hackers looking to impress their friends.