“We have been made aware of “scary” emails sent in the last few hours that purport to come from the FBI/DHS [Department of Homeland Security],” announced the group on Twitter.
The messages came from a legitimate email address—email@example.com—from the Law Enforcement Enterprise Portal (LEEP), which is owned by the FBI/DHS, the group said. It added, however, “our research shows that these emails *are* fake.”
The FBI, part of the Department of Justice, said in a statement that it and the Cybersecurity and Infrastructure Security Agency (CISA) are both “aware of the incident this morning involving fake emails from an @ic.fbi.gov email account.”
The agency added that although the impacted hardware was “taken offline quickly upon discovery of the issue,” the situation is an ongoing one and it will not be providing additional information for now.
The emails that were sent to tens of thousands of recipients in the database appeared to be warning of a possible cyberattack, according to a copy of the email Spamhaus Project shared on Twitter. That email showed a subject line that reads, “Urgent: Threat actor in systems,” and signed off as the DHS.
The email reads, in part, “Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. … We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverlord, (sic) We highly recommend you to check your systems and IDS monitoring.”
Spamhaus Project said on Twitter, “These fake warning emails are apparently being sent to addresses scraped from ARIN database. They are causing a lot of disruption because the headers are real, they really are coming from FBI infrastructure. They have no name or contact information in the .sig. Please beware!”
It later added, “From what other people are reporting, this was not limited to the ARIN database. Other, non-ARIN related harvested emails were included in the spam run.”
When asked what possible motivations could underlie the spam emails that came with no trojan links or attachments, Spamhaus Project responded, “Triple action: Convince people to shut things down just in case, while veracity is determined, character assassination of Vinny Troia who was mentioned in it, and flooding the FBI with calls. Or, as someone else said, ‘for the lulz’. Maybe all of the above. Maybe something else!”
Vinny Troia, a security researcher and founder of dark web intelligence company Shadowbyte, commented on Twitter, “Wow I can’t imagine who would be behind this. #thedarkoverlord aka @pompompur_in.”
Troia told Bleeping Computer on Saturday that the individual “pompompurin” is likely the culprit behind the FBI email system compromise.
Troia added that the individual has allegedly been involved in a past incident that sought to damage his reputation.
“The last time they [pompompurin] hacked the national center for missing children’s website blog and put up a post about me being a pedophile,” Troia said.
Troia also added that the individual had contacted him a few hours before spamming the FBI email servers, and that the individual tends to alert him when they are about to discredit him.