Well-known email tracking organisation Spamhaus, which maintains lists of known senders of spams and scams, is warning of a fraudulent “FBI/Homeland Security” alert that has apparently been widely circulated to network administrators and other IT staff in North America.
Indeed, some of our own colleagues have reported receiving messages like this:
Urgent: Threat actor in systems Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough multiple global accelerators. We identified the threat actor to be [REDACTED], whom is believed to be affiliated with the extortion gang TheDarkOverlord, We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure.
Spamhaus suggests that at least some of the recipients’ email addresses have been scraped from already public sources such as databases published by ARIN, the [North] American Registry for Internet Numbers.
Note that this doesn’t imply that ARIN has suffered any sort of breach.
It is merely evidence that the crooks behind this disinformation campaign have focused primarily on email addresses that seem to be associated with network administration, in the same way that contact email addresses picked deliberately from podcast feeds would probably go to people who record or produce podcasts.
Call to distraction
Intriguingly, the fake messages don’t include any attachments, phone numbers or web links, making it unlikely that your email filter would consider them risky because of any so-called calls to action they contain.
But the text in the email consists of a bunch of technobabble that looks scary at first sight, including sentences like this:
Urgent: Threat actors in systems.
Our intelligence monitoring indicates exfiltration of several of your virtual clusters in a sophisticated chain attack.
We recommend you check your systems and IDS monitoring.
As you can see in the screenshot above, the email also plausibly suggests that US law enforcement and security services can’t currently blocklist or take down the servers being used by the “attackers” for at least four hours, because they need to keep those servers online as part of an intelligence gathering operation.
In other words, you’ve been warned, but you’re on your own, so Do Something At Once.
The rogue messages, redacted above, also explicitly name a perpetrator, claiming that he belongs to the cybercrime clan known as Dark Overlord.
As you probably know, it’s most unlikely – both for operational and legal reasons – that the US authorities would name and shame an alleged perpetrator up front, while active surveillance was still in place, and no charges had been presented to or unsealed by a court.
The person named, as it happens, is a cybersecurity researcher who has published a book entitled Hunting Cyber Criminals, including Dark Overlord.
What to do?
- Don’t panic. Whatever threat detection and response procedures you have in place, keep on doing them. Unless there is a clear, present, widespread and properly-documented new danger that you genuinely think you are unprepared for, avoid diverting your regular resources from what they are supposed to be doing anyway. Cybercriminals love to create distractions. Setting you off to search for an illusory attack that you are never going to find is a good way for them to trick you into leaving other parts of your infrastructure under-monitored and therefore at heightened risk of compromise.
- Avoid contacting the FBI for further details. If this were a genuine warning, it would almost certainly be easy to find further details, including Indicators of Compromise (IoCs), without calling the FBI’s or any other US agency’s hotline. Either the government’s own well-known cybersecurity information portals, or cybersecurity community sites (including this one), would have further information by now. Leave those government cybersecurity hotlines open for people who really need them.
- Ignore the accusations made in the email. If the individual named as the culprit really were in the sights of the Department of Justice (DOJ), and the DOJ were permitted by law to reveal his name as a suspect or a “person of interest”, you would almost certainly be able to read more about the matter on the DOJ’s own website. Creating “revenge havoc” against innocent individuals is known as Joe Jobbing, after an early spam campaign that made false accusations aimed at provoking an angry online reaction to Joe Doll, operator of a 1990s online hangout called Joes’ Cyberpost.
Occasionally, for example if you become aware of a looming ransomware attack in your own network, or if there’s a sudden global cybersecurity issue such as the Heartbleed bug, you may need to divert your cybersecurity experts in order to deal with the emergency.
But don’t let yourself get distracted by Joe Job messages of this sort – “fake news” like this is not only unfair to the people who are accused in it, but also potentially disruptive to your own cybersecurity protection.
Not enough time or staff? Learn more about Sophos Managed Threat Response:
Sophos MTR – Expert Led Response ▶
24/7 threat hunting, detection, and response ▶
