FBI Faked Up A FedEx Website To Track Down A Scam Artist
from the phishing-for-fraudsters dept
Trust no one. The DEA impersonates medical board investigators. Police pretend to be people's friends. FBI agents pretend to be journalists. And, in this case, federal investigators pretended they could help an alleged scammer trace a FedExed payment. Joseph Cox of Motherboard has more details, taken from recently unsealed FBI warrant applications.
The two 2017 search warrant applications discovered by Motherboard both deal with a scam where cybercriminals trick a victim company into sending a large amount of funds to the scammers, who are pretending to be someone the company can trust. The search warrants show that, in an attempt to catch these cybercriminals, the FBI set up a fake FedEx website in one case and also created rigged Word documents, both of which were designed reveal the IP address of the fraudsters. The cases were unsealed in October.
The warrant application [PDF] in one case seeks permission to use an NIT (Network Investigative Technique) to expose identifying information about a targeted device/computer. This warrant request -- relying on recent changes to jurisdictional limitations -- says the NIT deployment was necessary because the FedEx impersonation failed to obtain usable IP address info thanks to the target's use of a VPN to access the impersonated site.
On July 25, 2017, FBI Buffalo, Rochester Resident Agency purchased the domain www.fedextrackingportal.com and developed the website www.fedextrackingportal.com/apps/us-en/tracking.php?action=track&trackingnumber=731246AF7684. The website was created with the message "Access Denied, This website does not allow proxy connections" error message when accessed. The website was created to capture the basic server communication information, as IP Address date and time stamp, and user string when the website was accessed. No malware or computer exploit was deployed in the development of the website; the only information captured in the webserver logs was unencrypted basic network traffic data identified above.
The IP addresses trapped with this ruse traced back to ExpressVPN, necessitating the technique described in this warrant application: a malicious email attachment.
The deployment of the NIT will occur through email communications with the TARGET USER, with consent from the victim company, Gorbel, and the Accounts Payable manager Belt. The FBI will provide an email attachment to the victim which will be used to pose as a screen shot of the FedEx tracking portal for the sent payment. The FBI anticipates the target user, and only the target user, will receive the email and attachment after logging in and checking emails. The subject will download the attachment which will deploy a technique designed to identify basic information of the TARGET location. [...] For the email attachment approach, the FBI will use a document with an embedded image requiring the computer to navigate outside the proxy service in order to access the embedded item.
A second warrant application dug up by Motherboard details pretty much the same process: an NIT deployed via email attachment to force the target to relinquish identifying info like IP addresses and device information. The twist in the second application is that the malicious embed (an image contained in a Word document) would require the recipient to turn off "Protected Mode" to open the attachment. Simply harvesting info from an end user is one thing. Having them perform an action on their end to give the government access to their computer is another. "In an abundance of caution," the FBI requested a warrant, even though the application makes it clear the FBI believes it shouldn't need a warrant to force targeted devices to give up potentially-identifying info.
The impersonation of FedEx may be novel, but the FBI's use of NITs began well before its extrajurisdictional searches were codified by Rule 41 changes. NITs have been in the FBI's toolkit for most of this decade. Here's a 2012 application and returned warrant showing the FBI using an NIT to obtain IP addresses and device info to locate a wanted felon using an email address the agency believed belonged to the target.
The FBI's impersonation of people, places, and things is likely just as widespread, even if the rules (very loosely) governing this investigative technique suggest it shouldn't be. FedEx may have questions about the FBI's use of its name to obtain IP addresses from criminal suspects, but so far, it hasn't commented on the news. What's seen in these applications suggests some care is being taken to avoid sweeping up innocent internet users, but there's only so much that can be implied from this very small sampling of federal investigative activity.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: doj, fake website, fbi, impersonation, nit, phishing, warrant
Companies: fedex
Reader Comments
Subscribe: RSS
View by: Time | Thread
Why don't you NIT-pick FBI false statements to FISA re Trump?
FBI knew that the "Steele dossier" was paid-for fabrication by political opponent Hillary Clinton, but falsely and illegally omitted that when took it for approval.
[ link to this | view in chronology ]
Re: Why don't you NIT-pick FBI false statements to FISA re Trump?
(THIS TIME PIECED UP BECAUSE BLOCKED WHEN WHOLE!)
FBI knew that the "Steele dossier" was paid-for fabrication by political opponent Hillary Clinton, but falsely and illegally omitted that when took it for approval.
But all Techdirt worries about is small stuff. -- Take another snipe at the "jurisdiction" bit changed by Court Rule 41 too, which would have allowed known downloaders of child pornography to escape. Just give up on that, kids, your mania for thereby promoting child porn doesn't help your cred.
What's with the release times today? New stragety or just haven't got enough ready? Even though you could glance at Drudge Report and tackle Facebook, Google, Twitter getting criticized, or Torrent Freak to report on the massive Australian or Indian blocking of pirate sites?
[ link to this | view in chronology ]
Re: Re: Why don't you NIT-pick FBI false statements to FISA re Trump?
[ link to this | view in chronology ]
Re effective
[ link to this | view in chronology ]
Re: Re: Why don't you NIT-pick FBI false statements to FISA re Trump?
[ link to this | view in chronology ]
Re:
Now you are spewing whataboutisms.
Aren't you the one who whines about "fanboys being off-topic"?
Hypocrite.
[ link to this | view in chronology ]
Re: Why don't you go lie somewhere else?
[ link to this | view in chronology ]
Steele
Your comments are repetitive and irrelevant. But they are now copyrighted property of TD.
Bringing up the Steele dossier being paid for whom? Not really relevant if it contained useful information, isn't it?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Yeah, this is generally good advice for criminals. Good to see the FBI is staying a step ahead of them.
[ link to this | view in chronology ]
F.B.I. Whoued a thought?
By 2012, FedX was delivering our WellsFargo paper checks to the Fullerton Police department and a half-dozen Greens of some renown showed up at WtF headquarters in SF to close out our 20+ year 'relationship'. Fortuitously, my wife, not a signatory, had numbers in her head on all seven bank accounts, or the A-hole bank would have profited from the FedX B.S.
[ link to this | view in chronology ]
P.S.
[ link to this | view in chronology ]
This has been put up at...
[ link to this | view in chronology ]
Re: This has been put up at...
Pirate Mike warns scam artists at Suprbay!
Yes, he's back there TODAY in "Forum-Economics-Law-Politics" with his first post since Sep 12, presumably because vital need-to-know alert for pirates. -- Indeed, one mentions a mysterious email from Fedex.
https://pirates-forum.org/Thread-FBI-Faked-Up-A-FedEx-Website-To-Track-Down-A-Scam-Artist
Ha d to piece up with an innocuous lead again! We'll see if this goes...
[ link to this | view in chronology ]
Re: Re: This has been put up at...
Just makes for another HOOT.
Probably Masnick more desperate for readers than ever now, so AGAIN trying Suprbay. And I caught him at it same day, heh, heh.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]