A recent hacking incident in which an adversary hijacked the FBI’s own external email system to send out bogus warnings of a cyberattack illustrates how convincingly authentic a fraudulent email can appear when it has the correct sender’s domain in the header.
Fortunately, in this instance, the attacker simply spammed thousands of recipients with an email that seemed primarily intended to embarrass the FBI over a security misstep, while at the same time trolling a member of security research community. But under different circumstances, an adversary might have tried to provoke recipients to click on a malicious link, open a weaponized attachment, or give away credentials.
Hijacked emails can be especially effective when the communication appears to be a severe cybersecurity alert from an important authority like FBI or an infosec firm. Such emails might incite a reflexive response before users can logically think through their actions.
“People almost instantly make decisions about the importance of an email that shows up in their inbox based on the identity of the sender. When the sender is either known to the user as someone important to them, or has an email domain that is significant, they start to react within seconds,” said Tim Helming, security evangelist at DomainTools. “For many people, an email domain such as fbi.gov or the name of a cybersecurity company conveys a sense of trust, significance and/or priority. This in turn will cause some recipients to bypass the mental filtering or scrutiny they apply to routine emails, which sets the stage for being successfully lured by the phish.”
Moreover, email authentication measures that normally block instances of spoofed or forged domains, like SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) wouldn’t help in these situations “because the emails were really sent from FBI infrastructure,” explained Carel Bitter, chief data officer at The Spamhaus Project – the international organization that initially tweeted about the incident. “All the usual technical countermeasures to deal with forged domains do not apply here because there was no forgery going on,” he continued, in an interview with SC Media.
Not only that, but the false messaging potentially could have amplified many times over: “Businesses that have their own customers will fairly quickly take [FBI] advisories and republish them for their own customers as a de facto alert,” said Paul Laudanski, head of threat intelligence at Tessian. “Because these alerts come from legitimate and recognized senders, like the FBI in this case, the information oftentimes is just passed along.”
“A not so well-intentioned adversary could have exploited this advisory pipeline to deliver a seemingly legitimate alert to include steps or procedures for updating systems immediately or by blocking IP addresses or domains,” Laudanski continued. “These ‘updates’ could have led to malicious zero-day infections or the blocks could have been implemented by consumers who may not have the resources to verify or validate the directions provided by the bad actors taking advantage of a trusted channel.”
“It’s not every day that such a prestigious organization is taken advantage of in this manner, and it could have been a lot worse.”
Even so, this relatively mild attack still could have potentially resulted in the FBI being inundated with calls and emails from concerned organizations that thought they were actually compromised.
While such incidents might be difficult to suss out at first glance, there are steps recipients can take to ensure they are not being induced into taking an unsafe action, and there are also ways for organizations to better protect their “email identities” and reputations.
For starters, email recipients can look at the content within the messaging to see if it features misspellings, unusual syntax, or unreasonable calls to action. Bitter noted that in this recent case, “it was a weirdly written message for a federal agency,” noting for example that the email actually named an individual suspect in the attack, which is information the real FBI would not readily share.
“Legitimate cybersecurity alerts from the FBI typically list indicators of compromise, discuss TTPs and provide tips for organizations to protect themselves,” said Laudanski. “These fake alerts sent to 100,000 users did not follow any of those standards, and also contained spelling mistakes, which is often a tell-tale sign of a scam email.”
Also, “usually when an organization reaches out there’ll be a name in there and a way to contact them back.” But in the fake FBI email, there's no mention of [that],” Bitter noted.
There’s also the matter of whether the FBI would use email as its primary tool to alert companies or individuals of a major cyberattack when other means like a direct phone call would likely be a more efficient and personal response. “The urgency of [an actual attack] is, I think, greater than basically a cold call email like this,” said Bitter.
If you have any doubts about an email, call the source back to verify its validity – “that's the most important thing you can do,” said Bitter.
On the other side of the equation, companies may want to consider invoking certain protections or policies that would mitigate damage in the event their email systems are ever hijacked like this.
For the FBI, such efforts would likely start with patching the vulnerabilities that allow this incident to transpire in the first place.
According to a KrebsonSecurity blog post entry, a hacker claiming to be the perpetrator said he was able to access the FBI’s email system through the agency’s Law Enforcement Enterprise Portal (LEEP), a platform that is normally accessed by other law enforcement, threat intelligence and criminal justice entities. The hacker said he was able to easily apply for a portal account, at which time he received an email with a one-time password that was leaked in the HTML of the web page. He said the confirmation code was generated client-side and sent via POST request, which allowed the him to use a simple script to replace the email’s subject and body content before sending it off to thousands of email addresses.
The spam emails, sent on Nov. 13 to addresses that Spamhaus says were scraped from an ARIN database, featured a subject line that read: “Urgent: Threat actor in systems.” The text’s body warned: “Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack.” The non-existent attack was falsely attributed to security researcher Vinny Troia, as a way to troll him.
“This incident underscores the importance of protecting public-facing services and tools, especially when they have connections to critical resources,” said Helming who noted this includes portals, which often “connect external users to internal databases, directories or other protected infrastructure.”
“Assuming that these exposed services are safely coded and properly patched, the next layer of protection involves the application of least privilege and network segmentation, to help ensure that a user who gains access via a compromised portal is not able to move laterally within the protected environment,” Helming continued. “Alerting on changes made to protected systems – even legitimate changes – may be appropriate in some cases, particularly if such changes are not expected to be made often. In this case, the portal was manifestly not securely coded, making it trivial to send the false emails.”
“It’s unfortunate that a simple modification of the traffic between a user and this web application allowed the attacker to generate a slew of emails from a legitimate address,” commented Tim Erlin, vice president of strategy at Tripwire. “This incident highlights the importance of a secure software development program, web application testing and security configuration management. This attack could have been stopped at multiple points in its lifecycle.”
Other organizations looking to limit damage in case their email systems were ever secretly hijacked might also consider placing rate limits on the number of emails a particular domain can send in a given day, as a means of preventing the mass distribution of spam emails (unless of course this interferes with normal business).
They might also want to clearly communicate via their website and other communications their normal email policies – such as never asking a recipient, unprompted, to open an attachment, click on a link, or reveal credentials or personal information.
“It [would] be helpful for them to say, ‘These are the ways we would reach out to you, and this is how [to] verify that it’s really us,” said Bitter. “And if you get [contacted] in any other way, then it's probably wrong and or falsified or fraudulent.”
Laudanski also suggested that companies should set more restrictive SPF policies to reduce the number of email IP addresses in an organization that are actually permitted to send an email. Tessian noted that the FBI, for instance, has more than 65,000 IP addresses from which an email can be sent on the agency’s behalf – a large number that perhaps might not always be easy to manage.
While this is generally good advice, in this case, a more restrictive SPF policy would not have helped: “This particular email came from some internal system, was forwarded to some other internal system, which forwarded it to the Internet-facing mail server. So it's the path you would expect an email from the FBI to travel,” said Bitter. “So there's not much you can do with SPF or DKIM there… If you limit the SPF record to let's say the two or three IPs of those outbound mail servers, then this still would have passed [through].”