FBI Faked Up A FedEx Website To Track Down A Scam Artist

from the phishing-for-fraudsters dept

Trust no one. The DEA impersonates medical board investigators. Police pretend to be people's friends. FBI agents pretend to be journalists. And, in this case, federal investigators pretended they could help an alleged scammer trace a FedExed payment. Joseph Cox of Motherboard has more details, taken from recently unsealed FBI warrant applications.

The two 2017 search warrant applications discovered by Motherboard both deal with a scam where cybercriminals trick a victim company into sending a large amount of funds to the scammers, who are pretending to be someone the company can trust. The search warrants show that, in an attempt to catch these cybercriminals, the FBI set up a fake FedEx website in one case and also created rigged Word documents, both of which were designed reveal the IP address of the fraudsters. The cases were unsealed in October.

The warrant application [PDF] in one case seeks permission to use an NIT (Network Investigative Technique) to expose identifying information about a targeted device/computer. This warrant request -- relying on recent changes to jurisdictional limitations -- says the NIT deployment was necessary because the FedEx impersonation failed to obtain usable IP address info thanks to the target's use of a VPN to access the impersonated site.

On July 25, 2017, FBI Buffalo, Rochester Resident Agency purchased the domain www.fedextrackingportal.com and developed the website www.fedextrackingportal.com/apps/us-en/tracking.php?action=track&trackingnumber=731246AF7684. The website was created with the message "Access Denied, This website does not allow proxy connections" error message when accessed. The website was created to capture the basic server communication information, as IP Address date and time stamp, and user string when the website was accessed. No malware or computer exploit was deployed in the development of the website; the only information captured in the webserver logs was unencrypted basic network traffic data identified above.

The IP addresses trapped with this ruse traced back to ExpressVPN, necessitating the technique described in this warrant application: a malicious email attachment.

The deployment of the NIT will occur through email communications with the TARGET USER, with consent from the victim company, Gorbel, and the Accounts Payable manager Belt. The FBI will provide an email attachment to the victim which will be used to pose as a screen shot of the FedEx tracking portal for the sent payment. The FBI anticipates the target user, and only the target user, will receive the email and attachment after logging in and checking emails. The subject will download the attachment which will deploy a technique designed to identify basic information of the TARGET location. [...] For the email attachment approach, the FBI will use a document with an embedded image requiring the computer to navigate outside the proxy service in order to access the embedded item.

A second warrant application dug up by Motherboard details pretty much the same process: an NIT deployed via email attachment to force the target to relinquish identifying info like IP addresses and device information. The twist in the second application is that the malicious embed (an image contained in a Word document) would require the recipient to turn off "Protected Mode" to open the attachment. Simply harvesting info from an end user is one thing. Having them perform an action on their end to give the government access to their computer is another. "In an abundance of caution," the FBI requested a warrant, even though the application makes it clear the FBI believes it shouldn't need a warrant to force targeted devices to give up potentially-identifying info.

The impersonation of FedEx may be novel, but the FBI's use of NITs began well before its extrajurisdictional searches were codified by Rule 41 changes. NITs have been in the FBI's toolkit for most of this decade. Here's a 2012 application and returned warrant showing the FBI using an NIT to obtain IP addresses and device info to locate a wanted felon using an email address the agency believed belonged to the target.

The FBI's impersonation of people, places, and things is likely just as widespread, even if the rules (very loosely) governing this investigative technique suggest it shouldn't be. FedEx may have questions about the FBI's use of its name to obtain IP addresses from criminal suspects, but so far, it hasn't commented on the news. What's seen in these applications suggests some care is being taken to avoid sweeping up innocent internet users, but there's only so much that can be implied from this very small sampling of federal investigative activity.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: doj, fake website, fbi, impersonation, nit, phishing, warrant
Companies: fedex


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. This comment has been flagged by the community. Click here to show it
    identicon
    Cunning Punster, 29 Nov 2018 @ 8:20am

    Why don't you NIT-pick FBI false statements to FISA re Trump?

    FBI knew that the "Steele dossier" was paid-for fabrication by political opponent Hillary Clinton, but falsely and illegally omitted that when took it for approval.

    link to this | view in thread ]

  2. This comment has been flagged by the community. Click here to show it
    identicon
    Cunning Punster, 29 Nov 2018 @ 8:22am

    Re: Why don't you NIT-pick FBI false statements to FISA re Trump?

    (THIS TIME PIECED UP BECAUSE BLOCKED WHEN WHOLE!)

    FBI knew that the "Steele dossier" was paid-for fabrication by political opponent Hillary Clinton, but falsely and illegally omitted that when took it for approval.

    But all Techdirt worries about is small stuff. -- Take another snipe at the "jurisdiction" bit changed by Court Rule 41 too, which would have allowed known downloaders of child pornography to escape. Just give up on that, kids, your mania for thereby promoting child porn doesn't help your cred.


    What's with the release times today? New stragety or just haven't got enough ready? Even though you could glance at Drudge Report and tackle Facebook, Google, Twitter getting criticized, or Torrent Freak to report on the massive Australian or Indian blocking of pirate sites?

    link to this | view in thread ]

  3. This comment has been flagged by the community. Click here to show it
    identicon
    Cunning Punster, 29 Nov 2018 @ 8:24am

    Re: Re: Why don't you NIT-pick FBI false statements to FISA re Trump?

    Yup, went through with not a word changed, after tried half dozen times with it whole. -- So, the mighty Techdirt filters are just plain annoying and wacky! Not effective.

    link to this | view in thread ]

  4. icon
    Gary (profile), 29 Nov 2018 @ 8:31am

    Steele

    Hey thanks for the spam, everything is flagged and will be hidden in a few minutes.
    Your comments are repetitive and irrelevant. But they are now copyrighted property of TD.
    Bringing up the Steele dossier being paid for whom? Not really relevant if it contained useful information, isn't it?

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 29 Nov 2018 @ 8:34am

    Re effective

    You know what else is not effective, you continuous whining and attempts to derail the discussion.

    link to this | view in thread ]

  6. icon
    Gwiz (profile), 29 Nov 2018 @ 9:11am

    Re:

    Now you are spewing whataboutisms.

    Aren't you the one who whines about "fanboys being off-topic"?

    Hypocrite.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 29 Nov 2018 @ 9:39am

    Does FedEx have a legal case here? I'd imagine they would....

    link to this | view in thread ]

  8. icon
    Mason Wheeler (profile), 29 Nov 2018 @ 9:55am

    Trust no one.

    Yeah, this is generally good advice for criminals. Good to see the FBI is staying a step ahead of them.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 29 Nov 2018 @ 3:12pm

    Re: Re: Why don't you NIT-pick FBI false statements to FISA re Trump?

    Donny’s still not gonna touch it.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 29 Nov 2018 @ 3:15pm

    Re: Why don't you go lie somewhere else?

    Are you capable of telling the truth?

    link to this | view in thread ]

  11. identicon
    OGquaker, 29 Nov 2018 @ 6:19pm

    F.B.I. Whoued a thought?

    In the last half of 2011 a dozen paper checks, all delivered by FedX, went out on 'Green Party Of California' WtF bank accounts, all for $1,000 plus and all to people that never knew there was a GPCA. With care and biting my lip, i had to inform people across the US that their Christmas bonus from the Green Party was fraudulent:(

    By 2012, FedX was delivering our WellsFargo paper checks to the Fullerton Police department and a half-dozen Greens of some renown showed up at WtF headquarters in SF to close out our 20+ year 'relationship'. Fortuitously, my wife, not a signatory, had numbers in her head on all seven bank accounts, or the A-hole bank would have profited from the FedX B.S.

    link to this | view in thread ]

  12. identicon
    OGquaker, 29 Nov 2018 @ 6:30pm

    P.S.

    Banks lie. Cops lie. It's part of their 'Job Description'.

    link to this | view in thread ]

  13. identicon
    Peet Swickles, 29 Nov 2018 @ 7:10pm

    This has been put up at...

    "Forum-Economics-Law-Politics"

    link to this | view in thread ]

  14. This comment has been flagged by the community. Click here to show it
    identicon
    Peet Swickles, 29 Nov 2018 @ 7:11pm

    Re: This has been put up at...

    Pirate Mike warns scam artists at Suprbay!

    Yes, he's back there TODAY in "Forum-Economics-Law-Politics" with his first post since Sep 12, presumably because vital need-to-know alert for pirates. -- Indeed, one mentions a mysterious email from Fedex.

    https://pirates-forum.org/Thread-FBI-Faked-Up-A-FedEx-Website-To-Track-Down-A-Scam-Artist


    Ha d to piece up with an innocuous lead again! We'll see if this goes...

    link to this | view in thread ]

  15. This comment has been flagged by the community. Click here to show it
    identicon
    Peet Swickles, 29 Nov 2018 @ 7:14pm

    Re: Re: This has been put up at...

    Yup, worked okay without any changes, but as a first post, no go six times! Explain that, Techdirt.

    Just makes for another HOOT.

    Probably Masnick more desperate for readers than ever now, so AGAIN trying Suprbay. And I caught him at it same day, heh, heh.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 30 Nov 2018 @ 8:37am

    Re: Re: Re:

    out_of_the_blue absolutely detests it when due process is enforced.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.