“Needless to say, this is a horrible thing to be seeing on any website,” Pompompurin said. A critical step in that process says applicants will receive an email confirmation from with a one-time passcode - ostensibly to validate that the applicant can receive email at the domain in question.īut according to Pompompurin, the FBI’s own website leaked that one-time passcode in the HTML code of the web page.Ī screenshot shared by Pompompurin, who says it shows how he was able to abuse the FBI’s email system to send a hoax message. Much of that process involves filling out forms with the applicant’s personal and contact information, and that of their organization. Helpfully, step-by-step instructions for registering a new account on the LEEP portal also are available from the DOJ’s website. Until sometime this morning, the LEEP portal allowed anyone to apply for an account. “These resources will strengthen case development for investigators, enhance information sharing between agencies, and be accessible in one centralized location!,” the FBI’s site enthuses. The FBI’s Law Enforcement Enterprise Portal (LEEP). Pompompurin says the illicit access to the FBI’s email system began with an exploration of its Law Enforcement Enterprise Portal (LEEP), which the bureau describes as “a gateway providing law enforcement agencies, intelligence groups, and criminal justice entities access to beneficial resources.” “And this would’ve never been found by anyone who would responsibly disclose, due to the notice the feds have on their website.” “I could’ve 1000% used this to send more legit looking emails, trick companies into handing over data etc.,” Pompompurin said. We continue to encourage the public to be cautious of unknown senders and urge you to report suspicious activity to or In an interview with KrebsOnSecurity, Pompompurin said the hack was done to point out a glaring vulnerability in the FBI’s system. The impacted hardware was taken offline quickly upon discovery of the issue. “This is an ongoing situation and we are not able to provide any additional information at this time. “The FBI and CISA are aware of the incident this morning involving fake emails from an email account,” reads the FBI statement. In response to a request for comment, the FBI confirmed the unauthorized messages, but declined to offer further information. CJIS systems are available to the criminal justice community, including law enforcement, jails, prosecutors, courts, as well as probation and pretrial services.” I am contacting you today because we located a botnet being hosted on your forehead, please take immediate action thanks.”Ī review of the email’s message headers indicated it had indeed been sent by the FBI, and from the agency’s own Internet address. The domain in the “from:” portion of the email I received - corresponds to the FBI’s Criminal Justice Information Services division (CJIS).Īccording to the Department of Justice, “CJIS manages and operates several national crime information systems used by the public safety community for both criminal and civil purposes. “Check headers of this email it’s actually coming from FBI server. Around that time, KrebsOnSecurity received a message from the same email address. 12 ET, tens of thousands of emails began flooding out from the FBI address warning about fake cyberattacks. The phony message sent late Thursday evening via the FBI’s email system.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |