Wrong warning
Spam from real FBI address: Hacker cracks US Federal Police – and uses the server for his own purposes
The hacker had taken over the mail server with simple means (symbol picture)
© gorodenkoff / Getty Images
Usually a warning email from the FBI is cause for concern. On the weekend, however, the US Federal Police suddenly sent spam emails with a false warning. Behind it was the work of a skilled hacker.
It is an unusual mail that numerous US citizens found in their mailboxes on Saturday (local time). It warns of a possible attack in the recipient’s system. The fact that many were actually scared was due to the sender: The mail came from an official server of the US Federal Police FBI. It was actually sent by a hacker who wanted to draw attention to a problem.
The spam campaign was discovered by the police server on Saturday. Screenshots of the message quickly made the rounds on Twitter. Attention was drawn just as quickly to the fact that it is very likely to be a false warning. The suspect named in the mail, Vinny Troia, is himself active in the security business, most recently investigating the blackmail group Dark Overlord. However, that should not have been clear to everyone of the more than 100,000 recipients. Because the mail came directly from a government email address, most spam filters also seem to have not filtered it out. The FBI initially only issued a brief statement confirming the problem. In addition, it was declared that the relevant server had been taken offline.
Serious gap
After the perpetrator and the motives were briefly puzzled, security expert Brian Krebs soon shed light on his blog “Krebs on Security”. He had received a personal message from the perpetrator – also from the hacked address. The hacker, who only calls himself Pompompurin, explained that he wanted to point out a glaring hole in the FBI website’s server.
Through the loophole, he was able to hijack a process in which the user should actually have a confirmation email sent to the website. By means of a simple manipulation, he could instead determine the content of the mail himself and also choose the destination address. Eventually he managed to automate the process. The FBI has since confirmed the error, but stressed that no one had ever had access to the data stored on the server.
“I’ve seen something like this a couple of times on websites, but never on government websites, and certainly not one that is operated by the FBI,” the hacker marveled at Krebs. “I could have used that 1000 percent to send more legitimate looking emails and persuade companies to give out their data,” he believes. “Nobody would ever have found out.”
However, the hacker did not reveal why he named Troy by name in the mail. However, screenshots of his Twitter direct messages published by Troia themselves show that a user named Pompompurin mocked him with the action. Opposite the news site “Bleeping Computer” Troia had pointed out Pompompurin as a possible perpetrator even before the publication of Krebs’ article. He suspects a connection with the darknet portal “RaidForums”, which is said to have targeted him again and again. Soon we could know more: Troia had announced on Twitter that they would unmask Pompompurin in the near future. Should it come to that, the hacker threatens a lot of trouble – with the FBI of all people.
Sources:Cancer on Security, Bleeping computer