We have been made aware of "scary" emails sent in the last few hours that purport to come from the FBI/DHS. While the emails are indeed being sent from infrastructure that is owned by the FBI/DHS (the LEEP portal), our research shows that these emails *are* fake.
I continue to see Twitter as an invaluable real time news source. It often seems to have more direct information on breaking topics than other mediums. I often discover news on Twitter well before seeing it on other platforms.
You can mitigate this, at least partially, if you go into your account settings and deselect “show me personalized content and ads”; this paired with ublock origin can do wonders.
I think this is a quirk of spoken English that's made its way onto the page as part of the "yes, but" construction. The latter part is emphasized to highlight the contrast to the first clause.
Yes, these emails are coming from the FBI's infrastructure, but they are not legitimate.
The email domain where the messages originate is from some sort of federated identity management system that was created in 2010 (here is a proposal deck [0] with technical details). Found this program simply by searching Google for the sending domain.
Based on the guide for using this system [1] (see step 15) looks like this specific email address is the one that sends automated confirmation emails upon registration. Perhaps someone was able to inject a message instead of the regular canned text through some sort of reflection attack? This explains why replies to the message result in a canned response. The system also now appears to be temporarily down. So it’s getting some sort of attention (internally taken down (most likely) or maybe denial of service from the abuse).
The Reddit thread suggests the recipients’ emails are likely ARIN IP range contacts. Those are very available from tools like this [2] so nothing interesting with that, but the real question is WHY someone would do this at all? This was clearly given some thought (on who to send this to who would actually take the time to verify the headers) but given the sloppiness of everything else, is this just a script kiddie flex? Whoever it is pissed off the FBI and gained absolutely nothing.
I would assume they're recommending Edge now. We switched from IE to Edge around that time; and our company is very security conscious because of our clients.
I would assume you're wrong. I don't think you appreciate how many government websites run ancient software sold to them by a politician's cousin, who thinks even having a developer on staff is a waste of money.
They also run ancient shit that was promoted internally. Not to mention how many sites/tools are outsourced to vendors who then outsource development to foreign development vendors.
To clarify, this is concerning from a security standpoint and is not out of xenophobic bigotry.
"Enter your official business email address...Do not use hyphens or dashes in the social security number (SSN#) and Date of Birth fields....Enter your employer’s information in the “Employer” fields"
Oh, fun. Connected to a treasure trove of LEO personal info.
The twitter link[0] posted in another thread appears to show a copy of the attacker's email. It looks like the attacker sent the email in a bid to lay down psychological cover fire in order to get sysadmins to work with an attacker who would identify themselves as "TheDarkOverlord".
The Russians would likely try to exploit such an e-mail to gain something more tangible or if their goal was to make the FBI look inept they would send the message to a much wider audience.
Not the OP, but, well, just as it could've been Russians, it could be North Koreans, Chinese, or anyone else. As a Russian, the comment just seemed unnecessary, though I'm obviously biased.
>Do you honestly not believe that Russia enlists hackers to poke at the seams in the US?
No, but I believe you should have some evidence before you start accusing them. Otherwise it is very much the "blame Russia" type comment that poster was mocking.
It's not xenophobia when their legal system incentivizes hacking foreigners and hacks just happen to keep popping up from Russia. Nor is pointing out blatantly obvious trends "left".
Lots of people commenting that the text of the email seems amateurish. Perhaps it’s exactly as it should be, but you don’t understand its purpose. Maybe they wanted this to be discussed on netsec forums everywhere, so that Google searches for “Vinny Troia” always lead back to discussion about this email, framing him as a cyber criminal and outranking legitimate posts about or by him - an online identity assassination. They needed the email to set off some alarm bells so that it would pique enough interest to be widely discussed. They appear to have widely targeted the email addresses of system admins. I’m fairly certain this was their intention.
Also, does it strike anyone else as odd that the account that posted this to HN was created hours ago, for the sole purpose of starting this thread?
Don't know of Vinny, but if he's a security guy, maybe one of his colleagues is pranking him? My college buddies did this kind of stuff to one another. They would die laughing at finding a way to legit send spam through the fbi.
If this is (as it appears it might be) simply a reflection attack of some sort, I'm not sure what crime could've been committed. Or at least what computer crime could've been committed. Impersonating a federal official is about the only thing I can think of.
Like it or not, this seems like a pretty easy CFAA case. Sending email through a server you're not permitted to access sounds like it would constitute a CFAA violation.
This Newsweek article has a pretty good breakdown:
"The Federal Bureau of Investigation (FBI) email system had reportedly suffered a hack on Saturday morning amid several reports of messages sent from the agency's email infrastructure purporting to be a warning from the Department of Homeland Security (DHS) about a cyberattack." [1]
"The Spamhaus Project, an international nonprofit organization based in Andorra and Switzerland that tracks spam, reported on Twitter that its analysis had shown the unusual emails are being sent from accounts "scraped" from the American Registry for Internet Numbers (ARIN) database." [1]
"Our telemetry indicates that there were two 'spam' waves, one shortly before 5 AM (UTC) [12.am. E.T.] and another one shortly after 7 AM (UTC) [2a.m. E.T.]. The FBI has been getting many calls about it. We are therefore refraining from further actions against the sending IP addresses." [1]
I received this at 1:07 AM PST to my work sysadmin account. It passed Barracuda and Office 365 spam filters.
Initially I felt a surging panic when I realized the source IP was indeed FBI, especially considering one of our close partners recently buckled under a ransomware attack they refused to pay, and thus had to rebuild from backups over a period of two weeks.
Smells mostly bogus now with no links to a status page and so many others reporting the exact same sloppy email, but how did they know to email me and other sysadmins, and how did they send from an FBI IP address?
Did the "one of our close partners [who] recently buckled under a ransomware attack" have contact details for "[you] and other sysadmins", to target the emails?
Are you listed on any contacts or WHOIS? One of my friends got it to every single possible ARIN POC - abuse, noc, any named users for their IP space, and any emails that could be found for their domain.
I find it fascinating that one can be intelligent enough to be able to do something like this but they just couldn’t put together a coherent enough email to actually fool you, especially because they seem to have a decent enough command of English. The tone is waaaaaay off though.
Perhaps the human effort needed to see their goals through requires that they filter for only the targets that would fall for such a poorly constructed effort.
The big unanswered question there is: Why go through the effort of making the headers real, if you want to intentionally filter out the kind of people who would look at them?
We're talking in hypotheticals of course, but the effort to make headers real isn't just to fool people who would inspect, but also to fool corporate spam filters and email clients that would display big bold warnings over such an email.
Just because you are intelligent in one field doesn’t necessarily mean you are intelligent in others. I personally need to rewrite text 4-5 times for RFC/Proposal PRs. I would assume English isn’t their native language, but’s on line between good and correct.
Probably not a literal get out of jail free card, but it gives you a lot of options to impede the investigation.
From what I can tell, investigations are comprised of a large network of loosely connected groups that need to coordinate to win.
The game is to use it to interrupt communications between loosely affiliated parties in the investigation. You're not going to convince the director of the FBI to drop it, but you probably could wreak havoc on the investigation by sending emails allegedly from the FBI to the labs, local law enforcement, etc. Don't tell them to drop it, just redirect them to something less useful. "Oh, we don't need those reports right now, prioritize analyzing <something you know isn't helpful>". Try to get local PD to go knocking on doors or something that won't help, but isn't too obviously unhelpful.
You could also try to make the various groups mad at each other to reduce cohesion.
It's probably not going to keep you out of jail, but it buys you some time.
If the FBI offers you immunity in exchange for implicating yourself in a crime, then they can't retroactively retract that offer after you've already confessed. This is true even in cases where the defendant was improperly offered immunity. And emails from an organization's domain name are generally legally binding.
The FBI doesn’t offer immunity. The DOJ does. There’s also usually a signed document called a “proffer letter” or a “Queen for a Day” agreement that’s signed by an AUSA. I’m not sure an email would pass muster. Maybe it would, but it would certainly be a very big departure from the norm.
Fair. But if the FBI gave someone a cryptographically signed offer of immunity and the person then confessed, you don't think the case would get thrown out?
First reaction - if $Legit_and_Competent_Group believes that a bunch of my infrastructure is compromised, then why the h*ll would they alert me via e-mail? Especially an e-mail full of sensitive details, which has a fair chance of being read by the attackers first.
My guess would be that there is some integration point somewhere to EIMS that allows requesting/granting some access & takes the email template from submitted form.
I still don't quite understand hackers: doing such high-profile hacking and writing lame texts even wihout much fact checking (about agency divisions in this case). Being written in more professional way, this attack could be way more effective.
Also, is it a thing among "hackers" to write with tons of mistakes? A part of culture maybe? Or to scare the bricks out of people? )
According to the phishing training I was mandated to take at work if you are stupid enough to overlook the mistakes you are the right target. According to them the misspellings filter out the smart enough people they don’t want talking to. But that could also be nonsense.
Ignoring this specific case where it seems especially unlikely, that's always seemed like someone worked backwards and overthought it to me, "the spelling mistakes, they have to mean something".
I don't think there is a binary smart population and dumb population to optimise around, for every step down, some people who are otherwise convinced become hesitant and waste time, and some of that group become totally unconvinced.
In this podcast episode with the founder of conversational AI, he describes the need to make spelling mistakes (and correct them) in order to help establish that the bot is actually a human.
I think making sublte spelling mistakes is a much clearer sign that someone is human. The imperfection without correction makes it more believable. I still think the hackers could stand to take a creative writing workshop.
The argument is that the hacker’s operational costs are massively dominated by the manual work of social engineering, so they have a huge incentive to filter out people who are less responsive to social engineering.
If you accept that some people are more credulous than others, it becomes the best strategy to optimize for only talking to people who believe you.
I think higher level ways get dangerous. Contacting the FBI directly to try and get money might make it easier to find you. Trying to sell it or other information to a foreign entity is also risky because you can't be sure they won't turn you over.
I’ve worked in government and contracted for Fortune 500 companies. Never have I seen an email that was written like Trump’s Tweets. I’m sure it happens, but I don’t think it’s common.
I'd have guessed that it should be possible to get a reasonable amount of $ for selling access to FBI email servers but maybe the person(s) behind the attack don't care much about money.
Along with the weeding described by others, this could also be a public proof of concept, with a much more sophisticated back-door left for whenever the clean up is done.
I wonder if, similar to automatically choosing alternate synonyms, small spelling errors throw off naive spam detectors while remaining perfectly readable?
or shake the machine and see what falls out - watch the access logs to find what individuals have the power to respond, target them for further spearfishing
What are they gonna do in response, bankroll somebody to say they have a tape of Russian hookers peeing on you? The FBI is famously inept at anything beyond questionably legal political games, so much so that the Secret Service was in charge of enforcing telecommunications related law for the longest time.
We received and forwarded to various groups at FBI and DHS at the onset. The running theory here is IPv6 to iPv4 routing is the problem with this incident. Generic and trusted config as where any ipv6 arbitrarily “just works” to a trusted IPv4 block with existing rules. Most IPv6 implementations do not have the detail scrutiny in firewall rules to prevent or filter, and IDS this type of thing from happening.
> Most IPv6 implementations do not have the detail scrutiny in firewall rules to prevent or filter, and IDS this type of thing from happening.
This sentence is nonsensical. Any firewall that will pass IPv6 can understand IPv6 enough to block it. And no firewall will default open for IPv6.
The same goes for any IDS made in the last 15 years. But regardless, IDS doesn't block anything, it only detects (and likely wouldn't trigger solely on sending an email).
Lack of full body and some headers mentioned in the DKIM-Signature headers makes it impossible to verify DKIM authenticity. Would (reddit) OP not cut out their Authentication-Results headers, we we would know how their MTA's anti-forgery mechanisms saw this alleged message.
But, assuming that what's on reddit is true, this is interesting. It looks like FBI attempting to discredit a researcher (which I doubt because this would be one of dumbest ways to do so) or maybe someone gained enough access to FBI's infra to at least bounce a message by their systems without it looking so (but earlier Received headers do not suggest that the message originated from outside the network).
EDIT: Another idea is that OP's systems may be so compromised already that someone simply created FBI-looking message on their system and it never touched network.
But still... the FBI don't speak to you like this and wouldn't overprovide information like this.
The only time I've seen the FBI talk like this is when they already have a trusted relationship with you and an open channel and they're off the record.
Just because a server is coerced into sending an email that is signed, it does not mean it is from the FBI.
The point here isn't whether this is real or fake. The news is that someone is able to impersonate an email as coming from the FBI with all of the correct email headers with dkim signing. I'm speculating here, but this probably means they might have control of one of the FBI subdomains
"email from FBI", and the Nigerian FBI office at that ... Reminded - a professor of a Moscow University couple months ago received a call from Russian Central Bank advising him that his account in some bank is being actively targeted by scammers/hackers, and that he needs to temporarily transfer the money to the special holding account the Central Bank rep provided, so the professor did. Some time later the scammers started to target the professor's condo - the police agent called him informing about it and asking for help to catch the scammers - when the scammers come with the prepared documents for the condo sale, professor would need to play the part as if he doesn't know what it is a scam and to sign the documents, receive the money and after that to give the money as evidence to the special agents in the car near the condo building. And professor did as he was told. So far - no money, no condo, no bank account with the significant sum of money...
Or as our corporate anti-phishing/etc. training - which was forced again upon us last month - instructs "Got a call from John from company A ? Hang up and call the public phone number of the company A and ask for the John."
> Hang up and call the public phone number of the company A and ask for the John
Some time ago a HN user was approached by the CIA/FBI like this (they wanted help with a software he wrote). They told him to look up the public number for the agency and ask for agent whatever.
From what I'm reading in that news article and the explanation you wrote above, this seems like a fairly complicated and comprehensive scam.
It's interesting to note how, when someone gets caught up in a scam, they don't step back and think "Woah, this doesn't make sense". Giving documents to a police officer? Special agents in another building?
This always seems to happen, too. I watch scambaiters on YouTube with refund scams, and you end up with an old lady drawing figures upwards of £10,000 out of the bank, then putting it into a box, mailing it to them... Mind you, they tend to prefer the older people because they're more gullible.
The hackers have the ability to originate legit emails from ic.fbi.gov and they blow it on a spammy phishing campaign with broken English? what a waste..
Sounds about right. A blue chip I work with had a successful phish against them - the attacker ended up with access to the email inbox of an HR person.
So they tried basic, stupid 419 type scams, with broken English.
They could have pried the entire org wide open - she had masses of private data in her inbox, enough to impersonate or social engineer your way to anywhere.
But instead, they blew it - and blew it so badly the client spent days investigating what this could have been a distraction for, as they pretty much couldn’t believe their luck at the minimal severity of the attack.
It’s like breaking into the federal reserve, thinking it’s a 7/11, and then stealing the ballpoint pens from the cashiers desks.
Either way, it was a helpful experience for them - a vaccination against further stupidity, and they all of a sudden started engaging on their ISMS with gusto and panache.
The other episode that springs to mind is the hackers who managed to compromise the Twitter accounts of the likes of Obama and Elon Musk, but used it to promote a shitty Bitcoin gifting scam, which netted them an easily traced $100k and a prison sentence. Probably the scammers promoting the same sort of scheme in the comments with legal fake accounts make more money
i’ve heard it said, “if criminals were any smarter they wouldn’t be criminals” - but of course its a selection bias because smart criminals don’t get caught, you only hear about the dumb ones
If you work with police, you'll hear no end of dumb criminal stories. My favorite was the guy who coated his fingers with glue so he wouldn't leave fingerprints at the scene - then peeled off the glue and dropped the peelings in the trash on his way out. Leaving perfect fingerprints.
Except that the OP did not post all the information to verify.
The IP address does belong to the fbi.gov (both forward and reverse DNS lookups check out).
The DKIM public key does exist at the given selector [0], but without the complete raw message, it is not possible to verify the signature. He also excluded the authentication-result header from his post.
I hate to say it, but if I were to get an email from "fbi.gov", I would assume it belongs in the same pile as the great offers from that Nigerian prince. Even if I look at the headers, I wouldn't be convinced.
Perhaps we should try harder to create a public key infrastructure for email.
The fact that we can trust government communication about as much as messages from a Nigerian prince gets us a step closer to the kind of society that produces them.
There is this line from Michael Clayton movie that I basically assume every time I see something like this ‘client:(phone rings) That’s the police isn’t it? MC: No, they don’t call.’ Or in this case, they don’t email.
the only vaguely reliable item in an email header is the last ip in the square bracket inserted bt your mailserver saying where it thinks it "Received from"
note that in this case it is:
Received: from dap00040.str0.eims.cjis
(dap00040.str0.eims.cjis [10.66.2.72])
and that 10.X.X.X is an un-routable address
(unless you are part of the originating network)
Since I'm not part of the FBI I would strongly suspect
some one was misrepresenting their address to my mailserver.
adding that I really don't know jack about this.
sec is not an interest of mine so please, experts, straighten out any misconceptions I am propagating
Tangentially related, but the FBI needs to be disbanded. At least the DC offices, which are simply a political police force at this point. This is just another example of incompetence on their part.
So what would you suggest to replace it? Obviously there needs to be some federal law enforcement agency...
And as much as their past has portions that are super fucked up, wasn't that also a reflection of American society at the time?
I just think that for as much harm as the FBI historically caused, they've also busted enormous criminal rings and done a lot to reduce organized crime. I genuinely think Americans would be worse of without them, even with my bias as a leftist that typically loathes alphabet soup surviellance agencies.
The FBI has known about nearly every mass shooter for the past 20 years, they've leaked numerous investigations and raids to the press for political reasons, they sit on evidence for political reasons, they target domestic journalists for political reasons, they lied to FISA courts for political reasons, and they've been sitting on exculpatory evidence for political reasons, they've been sicced on parents at school boards for political reasons.
I am guessing "Anyone who gets seriously close to threatening the FBI's existence will get extrajudicially prevented from doing so"?
For a lawmaker, you don't even have to do anything legally or (particularly) morally questionable like killing them - just entrap them and have them lose their jobs. https://en.wikipedia.org/wiki/Abscam
If you do catch them and it's too public to go after you for retribution, they'll sell a federal judiciary seat to someone willing to erase it.
One of Trump's 2017 judicial appointments in the ND of Texas dismissed the civil suit against the FBI, DOJ, and Comey by name for organizing the "ISIS" mass shooting in Garland, TX in 2015. We know they organized it because local cops caught an undercover in the parking lot who was waiting on the shooters to arrive. [1] He had to identify himself as undercover to stop the local cops from shooting him. [2] A security guard who was shot in the incident brought the civil suit against the feds, discovery produced text messages showing the same undercover FBI agent giving the shooters instructions. The FBI also had to remove flags from databases so the shooters could pass background checks for gun purchases.
And before anyone falls for the knee-jerk tendency of thinking one political party is different from the other, the judge who dismissed the case on her first day was a stalled Obama appointment to the same seat before she was a Trump appointment confirmed for that seat. And the person who blew the whistle on the FBI paying people to recruit and train domestic "terrorists" said they began doing so when Obama took office in 2009.
They're not extraordinary claims, they're well established and part of a pattern. Unless you haven't paid attention to their scandals over the past ~40 years you should be well aware that the FBI's primary means of moving along politically hot-button cases is to cause a politically hot-button crime to occur. [1]
> ... FBI agent texted one of the shooters before the event, "tear up Texas." [2]
> In an affidavit filed in another case the government disclosed that the FBI undercover agent had actually "traveled to Garland, Texas, and was present... at the event." [3]
> Last month (article from August 2018), the stately Belo Mansion in downtown Dallas was home to an event many have been anticipating for over a decade: the investiture of Judge Karen Gren Scholer as a federal judge for the Northern District of Texas. It was one of those rare occasions in today’s hyperpartisan environment when local jurists, elected officials and ordinary citizens from both sides of the aisle had cause for celebration — the March 7 swearing-in of a highly respected jurist who is the first Asian-American U.S. district judge in Texas." [4]
Note the date here, that judge was sworn in on March 7, 2018. What did she do on March 8, 2018? Send a message not to sue the FBI, that's what... [5]. It should be noted that the Dallas Morning News is not a left leaning publication, to the contrary it's chock full of neocons, hence the hagiography written for this judge appointed to put in a fix for a 3 letter agency. No one outside of one DC blog seemed to notice that on her first day in the ND of Texas a brand new judge, sworn in the day before, took over a 3 year old case involving the FBI orchestration of terrorist activity in at least two states. [6] Cases in which the DOJ (stupidly) prosecuting one case admitted to instigating the so-called terrorists in another case halfway across the country.
They did allegedly just raid a politically opposed journalistic outlet and leak confidential reporter's notes to NYT, which is sort of illegal. Can anyone explain why Biden's daughter's stolen diary, which PV obtained and gave back, is grounds for an FBI search warrant?
calling that guy a journalist is hilariously disingenuous. the guy that has been caught doctoring and falsely editing literally everything that he has produced?
He's catering to an audience of hateful people that can't even eat breakfast without it being in bad faith. He is weeks away from an expose telling you that actually the confederacy landed on the moon first.
Being a contrarian fool that argues blindly without accepting or understanding reality and context is de rigueur on this website, it's disgusting
and telling as to why the industry is so self-serving and fraud-ridden
> the guy that has been caught doctoring and falsely editing literally everything that he has produced?
I don't know what to tell you, that's a lie. Even if he had published misleading or false statements in the past, that does not imply that everything out of PV is false, as convenient as such a belief may be for supporters of the establishment.
>He's catering to an audience of hateful people that can't even eat breakfast without it being in bad faith. He is weeks away from an expose telling you that actually the confederacy landed on the moon first.
Dissent is not hateful. Leaning right is not hateful. You are stereotyping, writing off everyone on the other side based on the beliefs of an extreme minority. The same logic could be applied to the left at large and it would be just as dishonest.
>Being a contrarian fool that argues blindly without accepting or understanding reality and context is de rigueur on this website, it's disgusting
As opposed to blindly following groupthink because your "authoritative sources" have unquestioningly quoted experts with blatant political and financial conflicts of interest? Please. Tell me, where are the journalists looking into e.g. ties between pfizer and the FDA? Regulatory capture is no secret. The partisan hate that PV gets is totally unwarranted, its a cheap, straw grasping dismissal of opposition.
This leaked diary is an excellent example, by the way. Though PV did not leak the contents, someone else did, and there are images of pages detailing Ashley's potential molestation by her father. If our media had a semblance of objectivity that would be a huge story - and apparently if the FBI is raiding PV over the diary (for which there is absolutely no justification, beyond party politics), the diary must be authentic. Hunter Biden's laptop was another example of mass collusion by partisan media - regardless of how you feel about the situation, images of a presidential candidate's son smoking crack with prostitutes is huge news. PV was one of the few outlets willing to touch it.
In any case, that you may think O'Keefe is biased does not imply that he is not in fact a journalist; unless you are willing to be consistent and acknowledge that the blatant activism that has replaced journalism in mainstream media also disqualifies them from identifying as journalists. This is what dissent looks like.
The boy who cried wolf alludes to a heuristic, not carte blanche to disregard media outlets you don't like.
And I would argue that dozens of images of the son of a presidential candidate partying with prostitutes and a crack pipe is indeed substance - regardless, the coordinated refusal to report negative information regarding their preferred party should make you at least as concerned about selective reporting as you are about PV. It is blatant evidence of partisanship, propaganda, and the same sort of election influencing collusion that trump and russia were accused of. Conveniently off of a false report as has recently come out - is that enough for you to start disregarding MSM outlets now? Clearly there wasn't even an attempt to investigate the steele dossier on the part of the propagandists you so blindly trust. Crying wolf indeed.
> He's catering to an audience of hateful people that can't even eat breakfast without it being in bad faith.
This sounds like a parody of an accusation of bad faith. If some people can't even eat breakfast without being accused of acting in bad faith, that says more about the people making the accusation.
reply