The FBI on Saturday said it was aware of reports that unauthorized emails were coming from a legitimate FBI email address to thousands of organizations about a purported cyber threat.
The emails – which according to the agency are part of an “ongoing situation” – started coming from an FBI address early Saturday and have hit at least 100,000 inboxes, according to the Spamhaus Project, a Europe-based nonprofit that tracks digital threats.
One of the fake emails sent from the FBI address, which CNN reviewed, claimed to be a warning from the Department of Homeland Security that the recipient was the target of a “sophisticated” attack. But the actual DHS Cybersecurity and Infrastructure Security Agency (CISA) made no such warning.
“The FBI and CISA are aware of the incident this morning involving fake emails from an @ic.fbi.gov email account,” the FBI said in a statement. “This is an ongoing situation and we are not able to provide any additional information at this time. The impacted hardware was taken offline quickly upon discovery of the issue. We continue to encourage the public to be cautious of unknown senders and urge you to report suspicious activity to www.ic3.gov or www.cisa.gov.”
“Once we learned of the incident we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”
The FBI said Sunday that someone had taken advantage of the software misconfiguration to send emails using an IT system the FBI uses to communicate with state and local law enforcement partners. They added it did not impact its main computer network.
But cybersecurity analysts were concerned that the fake alert could send organizations into a scramble to address a phantom threat. That might entail diverting resources from where they are needed against actual hacking threats.
It’s also unclear which types of organizations received the email from the FBI address.
Alex Grosjean, senior threat analyst at Spamhaus, told CNN that whoever perpetrated the scam appeared to be gathering email addresses from organizations that are members of the American Registry for Internet Numbers, a nonprofit that helps manage internet infrastructure. The majority of the nonprofit’s members are internet service providers, according to ARIN’s website.
ARIN did not immediately respond to CNN’s request for comment on Saturday.
Grosjean said he was unaware of any malicious software embedded in the emails. Instead, the emails appear to be a prank to scare the recipients, he said.
The incident also cuts against the work of the FBI and DHS to build trust with non-government organizations and share actionable cyber threat data.
“When someone sees an email from a legitimate FBI account, they’re going to stand up and pay attention, right?” said Austin Berglas, former head of the FBI New York Cyber Branch. Taking over an email account, rather than spoofing it, can be more effective in duping victims, said Berglas, currently global head of professional services at BlueVoyant, a cybersecurity services company.
This isn’t the first time that scammers have impersonated law enforcement to try to dupe their victims – though typically it doesn’t involve actual FBI email addresses.
In one incident last year, Russian-speaking hackers encrypted the phones of some people in Eastern Europe, accused them of possessing illicit pornographic material and claimed that their personal information had been forwarded to the FBI, according to researchers. The hackers demanded $500 to unlock the phones.
CNN’s Geneva Sands contributed to this report.