Federal Bureau of Investigation (FBI) email server was used to send around ten thousand of fake emails on a cyberattack warning. According to Spamhaus an nonprofit spam tacking the fake email warns about a threat actor named Vinny Troia has stolen data from the recipient’s device. They further confirm that the emails are indeed coming from the infrastructure owned by the FBI/DHS.

These emails look like this:

Sending IP: 153.31.119.142 (https://t.co/En06mMbR88)
From: [email protected]
Subject: Urgent: Threat actor in systems pic.twitter.com/NuojpnWNLh

— Spamhaus (@spamhaus) November 13, 2021

On 13^th Nov 2021 release a statement saying “The FBI and CISA are aware of the incident this morning involving fake emails from an @ic.fbi.gov email account. This is an ongoing situation, and we are not able to provide any additional information at this time. The impacted hardware was taken offline quickly upon discovery of the issue. We continue to encourage the public to be cautious of unknown senders and urge you to report suspicious activity to ic3.gov or cisa.gov.”

FBI released a second statement saying that “The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners. While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”

Based on the article published by Brian Kreb an investigative journalist with the threat actor, FBI website has leaked the one-time passcode  which is been generated when signing up a new account on LEEP in the HTML code of the web page. By manipulating this request parameters the threat actors has been enabled to send emails along with a script which used to automate the sending process.

Reference

• https://www.fbi.gov/news/pressrel/press-releases/fbi-statement-on-incident-involving-fake-emails
• https://krebsonsecurity.com/2021/11/hoax-email-blast-abused-poor-coding-in-fbi-website/