RiversideDec 14, 2022
BrianKrebs

Small scoop that I'm breaking here first. InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum.

Meanwhile, the hackers responsible are communicating directly with members through the InfraGard portal online -- using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.

https://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/?v=2

FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked – Krebs on Security

Dec 13, 2022 at 11:55pmWeb
Show threadBrianKrebsDec 14, 2022

USDoD said they gained access to the FBI’s InfraGard system by applying for a new account using the name, Social Security Number, date of birth and other personal details of a chief executive officer at a company that was highly likely to be granted InfraGard membership.

The CEO in question — currently the head of a major U.S. financial corporation that has a direct impact on the creditworthiness of most Americans — did not respond to requests for comment

Show threadBrianKrebsDec 14, 2022

USDoD told KrebsOnSecurity their phony application was submitted in November in the CEO’s name, and that the application included a contact email address that they controlled — but also the CEO’s real mobile phone number.

“When you register they said that to be approved can take at least three months,” USDoD said. “I wasn’t expected to be approve[d].”

But USDoD said that in early December, their email address in the name of the CEO received a reply saying the application had been approved (see redacted screenshot to the right). While the FBI’s InfraGard system requires multi-factor authentication by default, users can choose between receiving a one-time code via SMS or email.

“If it was only the phone I will be in [a] bad situation,” USDoD said. “Because I used the person[‘s] phone that I’m impersonating.”

USDoD said the InfraGard user data was made easily available via an Application Programming Interface (API) that is built into several key components of the website that help InfraGard members connect and communicate with each other.

USDoD said after their InfraGard membership was approved, they asked a friend to code a script in Python to query that API and retrieve all available InfraGard user data.

“InfraGard is a social media intelligence hub for high profile persons,” USDoD said. “They even got [a] forum to discuss things.”

Show threadBrianKrebsDec 14, 2022

KrebsOnSecurity shared with the FBI several screenshots and other data that may help isolate the imposter InfraGard account, but the agency declined to comment for this story.

To prove they still had access to InfraGard as of publication time Tuesday evening, USDoD sent a direct message through InfraGard’s messaging system to an InfraGard member whose personal details were initially published as a teaser on the database sales thread.

That InfraGard member, who is head of security at a major U.S. technology firm, confirmed receipt of USDoD’s message but asked to remain anonymous for this story.

Show threadBrianKrebsDec 14, 2022

USDoD acknowledged that his $50,000 asking price for the InfraGard database may be a tad high, given that it is a fairly basic list of people who are already very security-conscious. Also, only about half of the user accounts contain an email address, and most of the other database fields — like Social Security Number and Date of Birth — are completely empty.

“I don’t think someone will pay that price, but I have to [price it] a bit higher to [negotiate] the price that I want,” they explained

Show threadBrianKrebsDec 14, 2022

While the data exposed by the apparent infiltration at InfraGard may be minimal, the user data might not have been the true end game for the intruders.

USDoD said they were hoping the imposter account would last long enough for them to finish sending direct messages as the CEO to other executives using the InfraGuard messaging portal. USDoD shared the following redacted screenshot from what they claimed was one such message, although they provided no additional context about it.

Show threadBrianKrebsDec 14, 2022

USDoD said in their sales thread that the guarantor for the transaction would be Pompompurin, the administrator of the cybercrime forum Breached. By purchasing the database through the forum administrator’s escrow service, would-be buyers can theoretically avoid getting ripped off and ensure the transaction will be consummated to the satisfaction of both parties before money exchanges hands.

Pompompurin has been a thorn in the side of the FBI for years. Their Breached forum is widely considered to be the second incarnation of RaidForums, a remarkably similar English-language cybercrime forum shuttered by the U.S. Department of Justice in April. Prior to its infiltration by the FBI, RaidForums sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches.

In November 2021, KrebsOnSecurity detailed how Pompompurin abused a vulnerability in an FBI online portal designed to share information with state and local law enforcement authorities, and how that access was used to blast out thousands of hoax email messages — all sent from an FBI email and Internet address.

https://krebsonsecurity.com/2021/11/hoax-email-blast-abused-poor-coding-in-fbi-website/

Hoax Email Blast Abused Poor Coding in FBI Website – Krebs on Security

Show threadgh0sti Dec 14, 2022
@briankrebs ugh great my info is probably apart of that.
Show threadtobieDec 14, 2022
@briankrebs Crud. The feds need to get better at this fast.
Show threadAgoraDec 14, 2022
@tobie @briankrebs Christopher Wray is in charge now. So, no way that's going to happen.
Show threadtobieDec 14, 2022
@Agora @briankrebs Loud sigh. I agree.
Show threadacbDec 14, 2022
@briankrebs You might want to set all posts below the head of your thread to unindexed; that way they still appear in the thread when someone opens it, but don’t flood timelines.
Show threadAlan TwigzDec 14, 2022
@acb @briankrebs That just hides it from public timelines, there's no way to hide from followers' timelines afaik
Show threadacbDec 14, 2022
@Quisley @briankrebs If you set it to mentioned people only, it’s hidden from your followers’ timeline. If you set it to unlisted, it’s hidden even from those, and not in any timelines (though visible in opened threads). Try it and see.
Show threadLizardDec 14, 2022
@briankrebs That looks like one of the messages I get once a month or so that's part of testing employees for phishing awareness. People fell for it? (I guess if it came from a breached account and didn't have any suspicious headers or links, they might, but it's still awfully generic. Whenever I get email from a co-worker or boss, it's "Regarding Bug 6712, do you think it will be ready for Sprint 52?". Very specific.
Show threadVissDec 14, 2022
@briankrebs TIL: the fbi's version of verification is "one guy eyeballs an email application and decides on the spot to let someone in"
Show threadThe DoctorDec 14, 2022
@Viss @briankrebs Pretty much, unfortunately.
Show threadJohn FrancisDec 14, 2022
@briankrebs I'm guessing they didn't submit any of his digits or retinas then. Easy money!
Show threadDan GillmorDec 13, 2022
@briankrebs Feds are not great at this, are they?
Show threadVissDec 14, 2022
@briankrebs another day, another org who promotes doing only the legally required bare minimum of security work popped
Show threadLeaveNothingForTheFutureDec 14, 2022
@briankrebs if the FBI can't do this what hope should we have for anyone else. We're screwed!
Show threadAgoraDec 14, 2022
@LeaveNothingForTheFuture @briankrebs absolutely!!
Show threadSmallsDec 14, 2022
@briankrebs I still can’t believe that Infragard is still utilizing SMS and email for MFA. Every time I log in, I’m always hoping that they have implemented TOTP or anything better.
Show threadWe Can Be GyrosDec 14, 2022
@briankrebs thanks America!
Show threadAbner GermanowDec 14, 2022
@briankrebs Whoops. Kind of amazing it took this long - Infaguard is 15ish years old?
Show threadNeil Carpenter Dec 14, 2022
@briankrebs I wonder if this means I get an extra year of credit monitoring.
Show threadgrecsDec 14, 2022
@briankrebs Yeah, did Infragard for a few years but then just let it lapse. At the time the value-add didn't fit my role. But I remembering signing up and thinking "What's to stop anyone from signing up as someone else?" Of course, I wasn't going to "test" it ... you know ... the whole permission thing. I just figured they had some controls on the backend that would prevent it from happening. Guess not. On the bright side, there are definitely going to be controls going forward. Thanks for the article.
Show threadSara DDec 15, 2022
@grecs @briankrebs
I would not be so optimistic as to say “definitely.”
Show threadJohnny Normality (Feral Mode)Dec 14, 2022
@briankrebs So does this count as the system working or not?
Show threadMilcom MiasmaDec 14, 2022
@briankrebs Whuf... Well, that's just a tiny bit embarrassing isn't it?
Show threadRJDDec 14, 2022
@briankrebs this sounds a little uh bad...
Show threadBC253Dec 14, 2022
@briankrebs well this doesn’t sound scary at all, does it?😬
Show threadJ L GatewoodDec 14, 2022
That's that bullshit.
Show threadJohn AllisonDec 14, 2022
@briankrebs FFS, this is not good.
Show threadshyduroffDec 14, 2022
@briankrebs … again and again, sigh is not a big enough word …
Show threadAndrew 🌻 Brandt 🐇Dec 14, 2022
@briankrebs All the three letter acronyms apply here. JFC. WTF. OMG. 
Show threadHfbDec 14, 2022
@briankrebs ouch . . .
Show threadStop-the-MAGAss-ReichDec 14, 2022
@briankrebs Wow. Stellar example of how vetting and security is done ... not.
Show threadsparker 🥑Dec 14, 2022
@briankrebs Oh FFS.
Show threadLance HomerDec 14, 2022
@briankrebs Quite unbelievable! Both scary that FBI can’t protect something like this and also a call for improving authentication/digital identity. It is 2022 (almost 2023) and this should be better.
Show threadHumble Fan of Atty. WooDec 14, 2022
@briankrebs
whoops! big whoops!
Show threadAlditrusDec 14, 2022

@briankrebs

OOF
Mega OOF
Ultra OOF
Galactic OOF
Interdimensional OOF

Show threadYosemiteSam99Dec 14, 2022
@briankrebs this is unbelievable/totally believable, makes me cry/laugh out loud. This is how we live today.
Show threadAgoraDec 14, 2022
@briankrebs our safety is in the hands of idiots.
Show threadcocaine lich 🏴 🦝Dec 14, 2022
@briankrebs lmao
Show threadKris SamselDec 14, 2022
@briankrebs Who blew up those twin towers? Sure wasn’t people hiding in a cave. FBI works for the billionaires. CIA does too.
The super rich stole our country 30 years ago. Ronald Reagan, you can thank.
Show threadCrowjaneDec 14, 2022
@briankrebs
Well that’s a fine kettle o fish now, isn’t it?
Show threadLeon CowleDec 14, 2022
@briankrebs @anildash Can we please show this story to every politician who demands a backdoor into end-to-end encryption that “only the good guys” will have access to…
Show threadAngie AdamsonDec 16, 2022
@briankrebs Ouch.
Show threadirtapilDec 17, 2022

@briankrebs

isn't that kind of partnership EXACTLY the sort of thing the USA are so often attacking Xi's PRC for?