Mailing List Archive

strange scam? email claiming to be from the fbi
I had a bit of an odd one this morning, I received two emails through
contacts listed in whois subject: "Urgent: Threat actor in systems" from
"eims@ic.fbi.gov". I was all set to ignore them as an odd bit of spam
but did a quick check on the headers and was surprised to see it had
valid dkim and spf and was from an actual FBI IP, queue real worry
starting. Luckily it looks like it was a case of something being hacked
on the FBI's end as calling they immediately knew what I was calling
about and said they had dealt with the compromised equipment. Further
googling after that call shows a few more reports of this ex.
https://twitter.com/spamhaus/status/1459450061696417792 and
https://www.newsweek.com/fbi-email-system-reportedly-hacked-fake-dhs-cyberattack-messages-1648966
but I'd figured to mention it here so others don't get caught quite as
off guard.

Best guess I can come up with is it's an attempt to ruin the person
mentioned in the email's name and/or promote the name of the mentioned
gang. The specifics seem off for trying to get someone swatted given if
you thought this was real what local agency would want to storm a
federal operation with swat agents, and if you thought this was all
fake, then you wouldn't go either. That or create FUD for any other
warnings issued and distract from something else going on.


Full body of the email:

Our intelligence monitoring indicates exfiltration of several of your
virtualized clusters in a sophisticated chain attack. We tried to
blackhole the transit nodes used by this advanced persistent threat
actor, however there is a huge chance he will modify his attack with
fastflux technologies, which he proxies trough multiple global
accelerators. We identified the threat actor to be Vinny Troia, whom is
believed to be affiliated with the extortion gang TheDarkOverlord, We
highly recommend you to check your systems and IDS monitoring. Beware
this threat actor is currently working under inspection of the NCCIC, as
we are dependent on some of his intelligence research we can not
interfere physically within 4 hours, which could be enough time to cause
severe damage to your infrastructure.
Stay safe,
U.S. Department of Homeland Security | Cyber Threat Detection and
Analysis | Network Analysis Group
Re: strange scam? email claiming to be from the fbi [ In reply to ]
> On Nov 13, 2021, at 5:02 PM, Glenn McGurrin via NANOG <nanog@nanog.org> wrote:
>
> I had a bit of an odd one this morning

It’s this:

https://www.engadget.com/fbi-email-server-hack-221052368.html

-Bill
Re: strange scam? email claiming to be from the fbi [ In reply to ]
https://www.washingtonpost.com/nation/2021/11/14/fbi-hack-email-cyberattack/

On Mon, Nov 15, 2021, 09:56 Glenn McGurrin via NANOG <nanog@nanog.org>
wrote:

> I had a bit of an odd one this morning, I received two emails through
> contacts listed in whois subject: "Urgent: Threat actor in systems" from
> "eims@ic.fbi.gov". I was all set to ignore them as an odd bit of spam
> but did a quick check on the headers and was surprised to see it had
> valid dkim and spf and was from an actual FBI IP, queue real worry
> starting. Luckily it looks like it was a case of something being hacked
> on the FBI's end as calling they immediately knew what I was calling
> about and said they had dealt with the compromised equipment. Further
> googling after that call shows a few more reports of this ex.
> https://twitter.com/spamhaus/status/1459450061696417792 and
>
> https://www.newsweek.com/fbi-email-system-reportedly-hacked-fake-dhs-cyberattack-messages-1648966
> but I'd figured to mention it here so others don't get caught quite as
> off guard.
>
> Best guess I can come up with is it's an attempt to ruin the person
> mentioned in the email's name and/or promote the name of the mentioned
> gang. The specifics seem off for trying to get someone swatted given if
> you thought this was real what local agency would want to storm a
> federal operation with swat agents, and if you thought this was all
> fake, then you wouldn't go either. That or create FUD for any other
> warnings issued and distract from something else going on.
>
>
> Full body of the email:
>
> Our intelligence monitoring indicates exfiltration of several of your
> virtualized clusters in a sophisticated chain attack. We tried to
> blackhole the transit nodes used by this advanced persistent threat
> actor, however there is a huge chance he will modify his attack with
> fastflux technologies, which he proxies trough multiple global
> accelerators. We identified the threat actor to be Vinny Troia, whom is
> believed to be affiliated with the extortion gang TheDarkOverlord, We
> highly recommend you to check your systems and IDS monitoring. Beware
> this threat actor is currently working under inspection of the NCCIC, as
> we are dependent on some of his intelligence research we can not
> interfere physically within 4 hours, which could be enough time to cause
> severe damage to your infrastructure.
> Stay safe,
> U.S. Department of Homeland Security | Cyber Threat Detection and
> Analysis | Network Analysis Group
>
Re: strange scam? email claiming to be from the fbi [ In reply to ]
> Date: Monday, November 15, 2021 10:14:30 -0500
> From: Christopher Morrow <morrowc.lists@gmail.com>
>
> https://www.washingtonpost.com/nation/2021/11/14/fbi-hack-email-cyb
> erattack/
>
> On Mon, Nov 15, 2021, 09:56 Glenn McGurrin wrote:
>
>> I had a bit of an odd one this morning, I received two emails
>> through contacts listed in whois subject: "Urgent: Threat actor in
>> systems" from "eims@ic.fbi.gov". I was all set to ignore them as
>> an odd bit of spam but did a quick check on the headers and was
>> surprised to see it had valid dkim and spf and was from an actual
>> FBI IP, queue real worry starting. Luckily it looks like it was a
>> case of something being hacked on the FBI's end as calling they
>> immediately knew what I was calling about and said they had dealt
>> with the compromised equipment. Further googling after that call
>> shows a few more reports of this ex.
>> https://twitter.com/spamhaus/status/1459450061696417792 and

Seems it wasn't an actual "intrusion" [into an fbi email system],
rather simply taking advantage of a very badly configured web site to
send out the messages [from an fbi machine].

<https://krebsonsecurity.com/2021/11/hoax-email-blast-abused-poor-coding-in-fbi-website/>
Re: strange scam? email claiming to be from the fbi [ In reply to ]
Quite a bit of discussion on the outages mailing list. It was an
exploited HTML form on the FBI site.

The text reminds me of the Turboencabulator data sheet.

> Full body of the email:
> Our intelligence monitoring indicates exfiltration of several of your
> virtualized clusters in a sophisticated chain attack. We tried to
> blackhole the transit nodes used by this advanced persistent threat
> actor, however there is a huge chance he will modify his attack with
> fastflux technologies, which he proxies trough multiple global
> accelerators. We identified the threat actor to be Vinny Troia, whom is
> believed to be affiliated with the extortion gang TheDarkOverlord, We
> highly recommend you to check your systems and IDS monitoring. Beware
> this threat actor is currently working under inspection of the NCCIC, as
> we are dependent on some of his intelligence research we can not
> interfere physically within 4 hours, which could be enough time to cause
> severe damage to your infrastructure.
> Stay safe,
> U.S. Department of Homeland Security | Cyber Threat Detection and
> Analysis | Network Analysis Group


--
Jay Hennigan - jay@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV
Re: strange scam? email claiming to be from the fbi [ In reply to ]
> Quite a bit of discussion on the outages mailing list. It was an exploited HTML form on the FBI site.

That's a flashback to the '90s :)
Sander
Re: strange scam? email claiming to be from the fbi [ In reply to ]
I'm aware there are now articles about this, and that it's somewhat old
news now, at the time of writing and for a number of hours afterwards
the only two in google were the one I linked and one from I think it was
the sun that had no more information. This was sent Saturday at 11am
Eastern and just got stuck in moderation for a while (which isn't a dig
at the moderators, especially as it was a weekend, just a note that the
situation in terms of information when it was sent and when most people
got this had changed significantly). I'm also aware of the discussion
on the outages list, in fact I was the one who started that discussion
at about the same time I sent this (I think it was a few minutes after
this email that I sent the one to outages).

On 2021-11-13 11:02, Glenn McGurrin via NANOG wrote:
> I had a bit of an odd one this morning, I received two emails through
> contacts listed in whois subject: "Urgent: Threat actor in systems"
> from "eims@ic.fbi.gov". I was all set to ignore them as an odd bit of
> spam but did a quick check on the headers and was surprised to see it
> had valid dkim and spf and was from an actual FBI IP, queue real worry
> starting. Luckily it looks like it was a case of something being
> hacked on the FBI's end as calling they immediately knew what I was
> calling about and said they had dealt with the compromised equipment.
> Further googling after that call shows a few more reports of this ex.
> https://twitter.com/spamhaus/status/1459450061696417792 and
> https://www.newsweek.com/fbi-email-system-reportedly-hacked-fake-dhs-cyberattack-messages-1648966
> but I'd figured to mention it here so others don't get caught quite as
> off guard.
>
> Best guess I can come up with is it's an attempt to ruin the person
> mentioned in the email's name and/or promote the name of the mentioned
> gang. The specifics seem off for trying to get someone swatted given
> if you thought this was real what local agency would want to storm a
> federal operation with swat agents, and if you thought this was all
> fake, then you wouldn't go either. That or create FUD for any other
> warnings issued and distract from something else going on.
>
>
> Full body of the email:
>
> Our intelligence monitoring indicates exfiltration of several of your
> virtualized clusters in a sophisticated chain attack. We tried to
> blackhole the transit nodes used by this advanced persistent threat
> actor, however there is a huge chance he will modify his attack with
> fastflux technologies, which he proxies trough multiple global
> accelerators. We identified the threat actor to be Vinny Troia, whom
> is believed to be affiliated with the extortion gang TheDarkOverlord,
> We highly recommend you to check your systems and IDS monitoring.
> Beware this threat actor is currently working under inspection of the
> NCCIC, as we are dependent on some of his intelligence research we can
> not interfere physically within 4 hours, which could be enough time to
> cause severe damage to your infrastructure.
> Stay safe,
> U.S. Department of Homeland Security | Cyber Threat Detection and
> Analysis | Network Analysis Group
Re: strange scam? email claiming to be from the fbi [ In reply to ]
On Sat, Nov 13, 2021 at 11:02:49AM -0500, Glenn McGurrin via NANOG wrote:
> I had a bit of an odd one this morning, I received two emails through
> contacts listed in whois subject: "Urgent: Threat actor in systems" from
> "eims@ic.fbi.gov". I was all set to ignore them as an odd bit of spam

Private reply.

Having had several interactions with the FBI (and a few other TLA), they
have confirmed that they never use email for critical communications like
these.

So you can relax if you get email from the IRS, FBI or most any
other government agency. As federal agencies, they use the US Mail.
The SBA is an exception; they do use email to request and communicate
information.