This past weekend, someone managed to send thousands of fake emails from a real FBI mail server warning of a cyberattack — and they appear to have done it without needing to hack anything.
Instead, the miscreant claimed in an conversation with independent security researcher Brian Krebs, all it took was legitimately changing a couple of items in the source code of the web page where you could apply to sign up for the FBI'S Law Enforcement Enterprise Portal (LEEP) informational service. The FBI is blaming this incident on a "software misconfiguration."
There's nothing you need to do to avoid this phony message, as the FBI has taken the LEEP sign-up page offline while it fixes the problem. But the incident shows how a poorly set-up website can allow anyone with a basic knowledge of web functions to create a convincing online scare.
The scary threat is coming from inside the server
"Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack," read the phony warning sent from an FBI mail server, which sounds scary but is really just a bunch of cybersecurity buzzwords strung together nonsensically.
"We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough [sic] multiple global accelerators."
The message, legitimately sent from the email address firstname.lastname@example.org and bearing the subject line "Urgent: Threat actor in systems", went out in two waves in the evening of Nov. 12 and early morning of Nov. 13, the spam-tracking agency Spamhaus told Bleeping Computer, adding that at least 100,000 mailboxes received the email.
"The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails," the bureau posted Sunday (Nov. 14) on its regular website.
"While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI's corporate email service. No actor was able to access or compromise any data or PII [personally identifiable information] on the FBI's network."
The message also tried to defame well-known security researcher Vinny Troia, claiming that he was behind the phony attacks. Troia has gotten in online tussles with cybercriminals, who in turn claim that he's no more ethical than they are. We don't know enough about the details to form an opinion about these accusations.
As the messages were being sent out, someone calling themselves "Pompompurin" contacted Krebs and claimed credit for the scary spam emails. They told Krebs it was all made possible by an incredibly dumb registration process built into the LEEP sign-up page.
"This is a horrible thing to be seeing on any website," Krebs quotes Pompompurin as telling him. "I've seen it a few times before, but never on a government website, let alone one managed by the FBI."
How the email 'hack' seems to have worked
As many online services do during the signup process, LEEP sends a test email message to the email address you registered with, including a secret code.
That's to confirm that you really are signing up for the service and aren't just some naughty kid signing you up for unwanted emails. The secret code is something you give to the operator at an FBI telephone number you call to finish the signup process.
So far, so good. Here's what seems to be the dumb part: Accoriding to Pompompurin, the LEEP signup page generates that confirmation email message and secret code ON YOUR MACHINE, using your browser.
Your browser then uses the POST command to send the message information, along with all the personal details you've just filled in, back to the FBI website. The web server passes along the details of the confirmation email message to the FBI's mail server, which in turn sends the message to your email address.
But, said Pompompurin, you can view the LEEP signup page's source code (Control+U in Chrome), including the email message your browser has generated and the POST commands your browser uses to send the message to the FBI's server.
You can then use the browser's own tools (Control-Shift-I in Chrome) to change the contents of the email message, or even change who receives the message, before it's sent to the FBI's mail server.
This is because when you're looking at a web page, you're not viewing a file on a far-off server. Instead, you're looking at a file the far-off server sent to your machine, which put the file in your browser cache. The browser opens the file in the browser cache and presents its contents to you.
Because the file is already on your machine, you can alter the file and view the results of your changes in your browser. But the changes you make aren't normally supposed to be sent back to the far-off server that sent you the original file in the first place. Unfortunately, the way the LEEP sign-up page was structured let you do exactly that.
"Basically, when you requested the confirmation code [it] was generated client-side, then sent to you [your email address] via a POST request," Pompompurin told Krebs. "This POST request includes the parameters for the email subject and body content."
This sounds complicated, but it's not, and it's not a hack. There was no password cracking or software alteration involved. Pompompurin did exactly what the FBI's LEEP signup page was apparently designed to do.
It's just that whoever designed the system never stopped to think that someone might have a look at the page's source code and use built-in browser tools to edit the contents and recipients of the message.
"Hackers didn’t hack into the server — they tricked the server," wrote security expert Rob Graham in a blog post about this incident Nov. 14. "They [i.e., Pompompurin] didn’t break into the server. Any data on the server is still safe. Hackers just caused account creation requests with customized data."
Pompompurin used a client-side script to automate sending emails to those thousands of recipients, although it's not clear whether they harvested the email addresses or somehow tapped into a database of everyone who had signed up for LEEP emails.
"I could've 1000% used this to send more legit-looking emails, trick companies into handing over data etc.," Pompompurin told Krebs.
Now, when you click through on the LEEP website to apply for an account, you just get a warning message that "there was a problem processing your request" and are given a phone number to call.