FBI Faked Up A FedEx Website To Track Down A Scam Artist

from the phishing-for-fraudsters dept

Trust no one. The DEA impersonates medical board investigators. Police pretend to be people’s friends. FBI agents pretend to be journalists. And, in this case, federal investigators pretended they could help an alleged scammer trace a FedExed payment. Joseph Cox of Motherboard has more details, taken from recently unsealed FBI warrant applications.

The two 2017 search warrant applications discovered by Motherboard both deal with a scam where cybercriminals trick a victim company into sending a large amount of funds to the scammers, who are pretending to be someone the company can trust. The search warrants show that, in an attempt to catch these cybercriminals, the FBI set up a fake FedEx website in one case and also created rigged Word documents, both of which were designed reveal the IP address of the fraudsters. The cases were unsealed in October.

The warrant application [PDF] in one case seeks permission to use an NIT (Network Investigative Technique) to expose identifying information about a targeted device/computer. This warrant request — relying on recent changes to jurisdictional limitations — says the NIT deployment was necessary because the FedEx impersonation failed to obtain usable IP address info thanks to the target’s use of a VPN to access the impersonated site.

On July 25, 2017, FBI Buffalo, Rochester Resident Agency purchased the domain www.fedextrackingportal.com and developed the website www.fedextrackingportal.com/apps/us-en/tracking.php?action=track&trackingnumber=731246AF7684. The website was created with the message “Access Denied, This website does not allow proxy connections” error message when accessed. The website was created to capture the basic server communication information, as IP Address date and time stamp, and user string when the website was accessed. No malware or computer exploit was deployed in the development of the website; the only information captured in the webserver logs was unencrypted basic network traffic data identified above.

The IP addresses trapped with this ruse traced back to ExpressVPN, necessitating the technique described in this warrant application: a malicious email attachment.

The deployment of the NIT will occur through email communications with the TARGET USER, with consent from the victim company, Gorbel, and the Accounts Payable manager Belt. The FBI will provide an email attachment to the victim which will be used to pose as a screen shot of the FedEx tracking portal for the sent payment. The FBI anticipates the target user, and only the target user, will receive the email and attachment after logging in and checking emails. The subject will download the attachment which will deploy a technique designed to identify basic information of the TARGET location. […] For the email attachment approach, the FBI will use a document with an embedded image requiring the computer to navigate outside the proxy service in order to access the embedded item.

A second warrant application dug up by Motherboard details pretty much the same process: an NIT deployed via email attachment to force the target to relinquish identifying info like IP addresses and device information. The twist in the second application is that the malicious embed (an image contained in a Word document) would require the recipient to turn off “Protected Mode” to open the attachment. Simply harvesting info from an end user is one thing. Having them perform an action on their end to give the government access to their computer is another. “In an abundance of caution,” the FBI requested a warrant, even though the application makes it clear the FBI believes it shouldn’t need a warrant to force targeted devices to give up potentially-identifying info.

The impersonation of FedEx may be novel, but the FBI’s use of NITs began well before its extrajurisdictional searches were codified by Rule 41 changes. NITs have been in the FBI’s toolkit for most of this decade. Here’s a 2012 application and returned warrant showing the FBI using an NIT to obtain IP addresses and device info to locate a wanted felon using an email address the agency believed belonged to the target.

The FBI’s impersonation of people, places, and things is likely just as widespread, even if the rules (very loosely) governing this investigative technique suggest it shouldn’t be. FedEx may have questions about the FBI’s use of its name to obtain IP addresses from criminal suspects, but so far, it hasn’t commented on the news. What’s seen in these applications suggests some care is being taken to avoid sweeping up innocent internet users, but there’s only so much that can be implied from this very small sampling of federal investigative activity.

Filed Under: , , , , , ,
Companies: fedex

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “FBI Faked Up A FedEx Website To Track Down A Scam Artist”

Subscribe: RSS Leave a comment
Cunning Punster says:

Re: Why don't you NIT-pick FBI false statements to FISA re Trump?


FBI knew that the "Steele dossier" was paid-for fabrication by political opponent Hillary Clinton, but falsely and illegally omitted that when took it for approval.

But all Techdirt worries about is small stuff. — Take another snipe at the "jurisdiction" bit changed by Court Rule 41 too, which would have allowed known downloaders of child pornography to escape. Just give up on that, kids, your mania for thereby promoting child porn doesn’t help your cred.

What’s with the release times today? New stragety or just haven’t got enough ready? Even though you could glance at Drudge Report and tackle Facebook, Google, Twitter getting criticized, or Torrent Freak to report on the massive Australian or Indian blocking of pirate sites?

OGquaker says:

F.B.I. Whoued a thought?

In the last half of 2011 a dozen paper checks, all delivered by FedX, went out on ‘Green Party Of California’ WtF bank accounts, all for $1,000 plus and all to people that never knew there was a GPCA. With care and biting my lip, i had to inform people across the US that their Christmas bonus from the Green Party was fraudulent:(

By 2012, FedX was delivering our WellsFargo paper checks to the Fullerton Police department and a half-dozen Greens of some renown showed up at WtF headquarters in SF to close out our 20+ year ‘relationship’. Fortuitously, my wife, not a signatory, had numbers in her head on all seven bank accounts, or the A-hole bank would have profited from the FedX B.S.

Peet Swickles says:

Re: This has been put up at...

Pirate Mike warns scam artists at Suprbay!

Yes, he’s back there TODAY in "Forum-Economics-Law-Politics" with his first post since Sep 12, presumably because vital need-to-know alert for pirates. — Indeed, one mentions a mysterious email from Fedex.


Had to piece up with an innocuous lead again! We’ll see if this goes…

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...