What just happened? It was recently discovered that an email warning of a complex cyber attack was a hoax executed using real FBI servers. The Spamhaus Project, an international organization providing cyber threat support to businesses and law enforcement agencies around the world, identified several thousand emails delivered over multiple waves early Saturday morning. Researchers and analysts at the organization believe these messages are only a small part of a larger attack.
The fraudulent messages appeared to have been sent from the FBI’s law enforcement corporate portal using a valid FBI email address. Spamhaus project analysts verified that the origin actually came from the Bureau’s servers, citing both the actual IP used and the email header information included in the message. The false notice, sent to legitimate addresses taken by the non-profit organization American Registry for Internet Numbers (ARIN), it is believed to have reached at least 100,000 valid recipients.
While the message didn’t appear to include a malicious payload, it wasted no time trying to frame a leading cybersecurity expert for the event. Vinny Troia, Ph.D., the founder of the dark web intelligence company ShadowbyteWhat he called the threat actor behind the fake attack. This is not the first time this type of attack has targeted him. In another recent incident involving the National Center for Missing Children site, an attacker entered the site’s blog and left a post accusing Troy of being a pedophile.
These emails look like this:
– Spamhaus (@spamhaus) November 13, 2021
The FBI has released a statement to Bleeping Computer indicating that no further information is currently available but … urges recipients to report suspicious activity when identified.
“The FBI and CISA are aware of this morning’s incident involving fake emails from an @ ic.fbi.gov email account. This is an ongoing situation and we are unable to provide further information. information right now. We continue to encourage the public to pay attention to unknown senders and encourage them to report suspicious activity at www.ic3.gov or www.cisa.gov. “
The attack appears to be another in a sequence performed by an individual (or group) which goes by the name of “pompompurin”. Screenshots posted on Trojan’s social media account confirm his earlier claims that he generally does receives messages before any attack or attempt to discredit its reputation. In addition to this latest incident, Troy has been the constant target of the RaidForums hacking community, which has conducted several similar attacks in the past to deface websites and damage Trojan’s credibility.
Image Credit: Spamhaus