Score points for creativity. An attacker used an FBI email server to blast a hoax to 100,000 people.
Let’s say I’m an attacker. I fill out the online form to sign up for updates from the FBI LEEP (Law Enforcement Enterprise Portal) website. LEEP tells me it will send a code to my email, and when I respond, LEEP will know I’m me. So far, pretty standard stuff.
But for some reason, maybe intuition, I sniff the conversation between LEEP and me and I notice the HTML POST command that tells LEEP to use the fields I provided to generate that confirmation email. But that POST does more than just tell LEEP to send the confirmation email. It also has the message subject line and body. Right there in my browser client. Which means my browser tells the FBI email server what to send and where to send it. And that means, I can can craft my own POST command to the LEEP server with any subject, message body, and recipient email address I want, and an FBI email server will forward it.
And that’s what an attacker who calls himself Pompomurin did over the weekend of Nov. 13, 2021. To 100,000 recipient emails, most likely scraped from the ARIN database.
Pompompurin did us a left-handed favor. He could have generated much more damaging content and sent the FBI chasing its tail. Instead, he did an obvious hoax. And then he bragged about it to KrebsOnSecurity.com. And now the world knows about the dangers of generating confirmation email content from a browser client. But I doubt any FBI agents will be good sports about this.
And for downtrodden Minnesota Vikings fans – SKOL!