- FBI website hacked by Troll to send 100,000 emails
- Poor coding practices in FBI website enabled the intrusion
- Troll's email was to further a spat between him and a cyber security researcher
The Fake Email
The email purports that the receiver has been hacked and that the email is an FBI notification of the intrusion. It comes across as an obvious troll to anyone barely technically literate, the terms "fastflux technologies" and "global accelerators" are helpful tipoffs. The email implicates Vinny Troia to be behind the "intrusion".
Vinny Troia and the hacker/troll Pompompurin have somewhat of a history. As Vinny explains in a blog post “This all started about a year ago when we initially published our cybercrime report naming Christopher Meunier, 22, of Calgary, Canada, as the alleged mastermind behind several major hacking groups including The Dark Overlord, Gnostic Players, and Shiny Hunters.”
Vinny alleges that “Christopher Meunier” is Pompompurin, though Pompompurin denies this. In an attempt to express his frustrations Pompompurin has been on quite the trolling spree the last year. On one occasion they hacked the national center for missing children, publishing a blog post about Vinny being a pedo.
On another occasion he DDoSed one of Vinny’s websites. He also hacked Vinny’s twitter account - tweeting the most bizarre things. And that’s not even the end of it, Vinny says “he tried to publicly frame me for the hack on Astoria company; and before that, it was something else.”
The pair aren't the best of pals, the FBI intrusion is merely the latest installment in the saga.
The FBI has a webpage called the “law enforcement enterprise portal” which various law enforcement agencies use to access resources. The first mistake the FBI made was that anyone visiting the web page could hit the Apply for an account button.
Since the intrusion, this button does nothing. However a FBI PDF guide explains once the application process is completes, "You will receive an email confirmation from firstname.lastname@example.org that your LEEP account is created".
Herein lies the second mistake, this confirmation email is generated client side. By inspecting the traffic to and from the website you can see the parameters are all generated on your PC.
Our Troll injected a malicious script, which automated sending in total 100,000 emails.