Legal Issues

by Tim Cushing


Filed Under:
doj, fake website, fbi, impersonation, nit, phishing, warrant

Companies:
fedex



FBI Faked Up A FedEx Website To Track Down A Scam Artist

from the phishing-for-fraudsters dept

Trust no one. The DEA impersonates medical board investigators. Police pretend to be people's friends. FBI agents pretend to be journalists. And, in this case, federal investigators pretended they could help an alleged scammer trace a FedExed payment. Joseph Cox of Motherboard has more details, taken from recently unsealed FBI warrant applications.

The two 2017 search warrant applications discovered by Motherboard both deal with a scam where cybercriminals trick a victim company into sending a large amount of funds to the scammers, who are pretending to be someone the company can trust. The search warrants show that, in an attempt to catch these cybercriminals, the FBI set up a fake FedEx website in one case and also created rigged Word documents, both of which were designed reveal the IP address of the fraudsters. The cases were unsealed in October.

The warrant application [PDF] in one case seeks permission to use an NIT (Network Investigative Technique) to expose identifying information about a targeted device/computer. This warrant request -- relying on recent changes to jurisdictional limitations -- says the NIT deployment was necessary because the FedEx impersonation failed to obtain usable IP address info thanks to the target's use of a VPN to access the impersonated site.

On July 25, 2017, FBI Buffalo, Rochester Resident Agency purchased the domain www.fedextrackingportal.com and developed the website www.fedextrackingportal.com/apps/us-en/tracking.php?action=track&trackingnumber=731246AF7684. The website was created with the message "Access Denied, This website does not allow proxy connections" error message when accessed. The website was created to capture the basic server communication information, as IP Address date and time stamp, and user string when the website was accessed. No malware or computer exploit was deployed in the development of the website; the only information captured in the webserver logs was unencrypted basic network traffic data identified above.

The IP addresses trapped with this ruse traced back to ExpressVPN, necessitating the technique described in this warrant application: a malicious email attachment.

The deployment of the NIT will occur through email communications with the TARGET USER, with consent from the victim company, Gorbel, and the Accounts Payable manager Belt. The FBI will provide an email attachment to the victim which will be used to pose as a screen shot of the FedEx tracking portal for the sent payment. The FBI anticipates the target user, and only the target user, will receive the email and attachment after logging in and checking emails. The subject will download the attachment which will deploy a technique designed to identify basic information of the TARGET location. [...] For the email attachment approach, the FBI will use a document with an embedded image requiring the computer to navigate outside the proxy service in order to access the embedded item.

A second warrant application dug up by Motherboard details pretty much the same process: an NIT deployed via email attachment to force the target to relinquish identifying info like IP addresses and device information. The twist in the second application is that the malicious embed (an image contained in a Word document) would require the recipient to turn off "Protected Mode" to open the attachment. Simply harvesting info from an end user is one thing. Having them perform an action on their end to give the government access to their computer is another. "In an abundance of caution," the FBI requested a warrant, even though the application makes it clear the FBI believes it shouldn't need a warrant to force targeted devices to give up potentially-identifying info.

The impersonation of FedEx may be novel, but the FBI's use of NITs began well before its extrajurisdictional searches were codified by Rule 41 changes. NITs have been in the FBI's toolkit for most of this decade. Here's a 2012 application and returned warrant showing the FBI using an NIT to obtain IP addresses and device info to locate a wanted felon using an email address the agency believed belonged to the target.

The FBI's impersonation of people, places, and things is likely just as widespread, even if the rules (very loosely) governing this investigative technique suggest it shouldn't be. FedEx may have questions about the FBI's use of its name to obtain IP addresses from criminal suspects, but so far, it hasn't commented on the news. What's seen in these applications suggests some care is being taken to avoid sweeping up innocent internet users, but there's only so much that can be implied from this very small sampling of federal investigative activity.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • This comment has been flagged by the community. Click here to show it
    identicon
    Cunning Punster, 29 Nov 2018 @ 8:20am

    Why don't you NIT-pick FBI false statements to FISA re Trump?

    FBI knew that the "Steele dossier" was paid-for fabrication by political opponent Hillary Clinton, but falsely and illegally omitted that when took it for approval.

    reply to this | link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      Cunning Punster, 29 Nov 2018 @ 8:22am

      Re: Why don't you NIT-pick FBI false statements to FISA re Trump?

      (THIS TIME PIECED UP BECAUSE BLOCKED WHEN WHOLE!)

      FBI knew that the "Steele dossier" was paid-for fabrication by political opponent Hillary Clinton, but falsely and illegally omitted that when took it for approval.

      But all Techdirt worries about is small stuff. -- Take another snipe at the "jurisdiction" bit changed by Court Rule 41 too, which would have allowed known downloaders of child pornography to escape. Just give up on that, kids, your mania for thereby promoting child porn doesn't help your cred.


      What's with the release times today? New stragety or just haven't got enough ready? Even though you could glance at Drudge Report and tackle Facebook, Google, Twitter getting criticized, or Torrent Freak to report on the massive Australian or Indian blocking of pirate sites?

      reply to this | link to this | view in chronology ]

      • This comment has been flagged by the community. Click here to show it
        identicon
        Cunning Punster, 29 Nov 2018 @ 8:24am

        Re: Re: Why don't you NIT-pick FBI false statements to FISA re Trump?

        Yup, went through with not a word changed, after tried half dozen times with it whole. -- So, the mighty Techdirt filters are just plain annoying and wacky! Not effective.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 Nov 2018 @ 3:12pm

        Re: Re: Why don't you NIT-pick FBI false statements to FISA re Trump?

        Donny’s still not gonna touch it.

        reply to this | link to this | view in chronology ]

    • icon
      Gwiz (profile), 29 Nov 2018 @ 9:11am

      Re:

      Now you are spewing whataboutisms.

      Aren't you the one who whines about "fanboys being off-topic"?

      Hypocrite.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Nov 2018 @ 3:15pm

      Re: Why don't you go lie somewhere else?

      Are you capable of telling the truth?

      reply to this | link to this | view in chronology ]

  • icon
    Gary (profile), 29 Nov 2018 @ 8:31am

    Steele

    Hey thanks for the spam, everything is flagged and will be hidden in a few minutes.
    Your comments are repetitive and irrelevant. But they are now copyrighted property of TD.
    Bringing up the Steele dossier being paid for whom? Not really relevant if it contained useful information, isn't it?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Nov 2018 @ 9:39am

    Does FedEx have a legal case here? I'd imagine they would....

    reply to this | link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 29 Nov 2018 @ 9:55am

    Trust no one.

    Yeah, this is generally good advice for criminals. Good to see the FBI is staying a step ahead of them.

    reply to this | link to this | view in chronology ]

  • identicon
    OGquaker, 29 Nov 2018 @ 6:19pm

    F.B.I. Whoued a thought?

    In the last half of 2011 a dozen paper checks, all delivered by FedX, went out on 'Green Party Of California' WtF bank accounts, all for $1,000 plus and all to people that never knew there was a GPCA. With care and biting my lip, i had to inform people across the US that their Christmas bonus from the Green Party was fraudulent:(

    By 2012, FedX was delivering our WellsFargo paper checks to the Fullerton Police department and a half-dozen Greens of some renown showed up at WtF headquarters in SF to close out our 20+ year 'relationship'. Fortuitously, my wife, not a signatory, had numbers in her head on all seven bank accounts, or the A-hole bank would have profited from the FedX B.S.

    reply to this | link to this | view in chronology ]

  • identicon
    OGquaker, 29 Nov 2018 @ 6:30pm

    P.S.

    Banks lie. Cops lie. It's part of their 'Job Description'.

    reply to this | link to this | view in chronology ]

  • identicon
    Peet Swickles, 29 Nov 2018 @ 7:10pm

    This has been put up at...

    "Forum-Economics-Law-Politics"

    reply to this | link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      Peet Swickles, 29 Nov 2018 @ 7:11pm

      Re: This has been put up at...

      Pirate Mike warns scam artists at Suprbay!

      Yes, he's back there TODAY in "Forum-Economics-Law-Politics" with his first post since Sep 12, presumably because vital need-to-know alert for pirates. -- Indeed, one mentions a mysterious email from Fedex.

      https://pirates-forum.org/Thread-FBI-Faked-Up-A-FedEx-Website-To-Track-Down-A-Scam-Artist


      Ha d to piece up with an innocuous lead again! We'll see if this goes...

      reply to this | link to this | view in chronology ]

      • This comment has been flagged by the community. Click here to show it
        identicon
        Peet Swickles, 29 Nov 2018 @ 7:14pm

        Re: Re: This has been put up at...

        Yup, worked okay without any changes, but as a first post, no go six times! Explain that, Techdirt.

        Just makes for another HOOT.

        Probably Masnick more desperate for readers than ever now, so AGAIN trying Suprbay. And I caught him at it same day, heh, heh.

        reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Close
Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.