With online criminals becoming more adept at covering up their digital tracks it’s not much surprise to hear that law enforcement agencies are using some novel techniques to help them reveal crooks’ true identities.
As Joseph Cox of Motherboard reports, recently revealed court documents reveal the FBI is using tricks that you might normally see being deployed by the very people they are trying to catch.
In one case dating from mid-2017, Gorbel, a New York-based crane manufacturing company’s finance team, received an email pretending to be from the company’s CEO Brian Reh, and asking for US $82,570 to be paid to a new supplier.
Can we set up a payment to a new vendor today? Thanks, Brian
Margaret Belt, the member of Gorbel’s finance team who had received the email, replied saying that she could assist but needed more information. The fake CEO responded:
See attached W9 and invoice for vendor details, Please have check made out to HOLDINGS for $82,570.00 and have it sent by overnight mail. Payment is for professional service, Charge this to Admin Dept and email me with tracking# once check is mailed out.
Believing nothing was amiss, a cashier’s check was duly issued and cashed out.
The following month the company’s CFO identified that a fraudulent transaction had taken place and informed the FBI, who examined the email correspondence.
Just days later, Margaret Belt received another email posing as the company CEO, this time asking for US $138,580 to be paid to a new vendor.
By now, of course, Margaret knew that she was dealing with a scammer – and kept the fraudster waiting for days claiming that the printer used to produce the checks was broken, and that a new part had been ordered.
The fraudster was understandably feeling frustrated:
Do you have an update regarding payment? I believe the printer should be fixed by now. Please advise.
The truth was, of course, that the printer wasn’t broken. But behind the scenes the FBI had bought the domain name www.fedextrackingportal.com, and created a website designed to capture visiting computers’ IP addresses, and other basic information about the browser being used to access it.
Margaret duly responded to the fake CEO, saying that the payment had been made and providing what appeared to be a FedEx tracking link.
Sneakily, the fake FedEx website built by the FBI displayed a message designed to discourage any visitor from covering their tracks:
“Access Denied, This website does not allow proxy connections”
What was clever about that is that it didn’t need to actually detect the usage of a VPN or proxy, it just needed to make whoever was visiting that they really should disable any such cloaking if they wanted to visit the webpage.
The fake FedEx tracking link created by the FBI was visited by six unique IP addresses within a 24 hour period, resolving to multiple countries and domestic areas and ISPs, with one resolving to a known VPN service.
The FBI’s conclusion was that sadly the fraudster had not been duped into revealing their computer’s true IP address and that they were only likely to open links and emails after accessing a proxy or VPN service.
The FBI was going to need a different technique to catch their fraudster.
The answer was to create a Word document containing a embedded image hosted on a server under the FBI’s control. Anyone trying to view the image in the Word document would be revealing their originating IP address and browser user string to the server’s logs as the document ‘phoned home.’
The technique would only work if the target turned off “protected mode”, a Microsoft Word setting that prevents documents from accessing the internet – and even then they would still need to have disabled any VPN they might be using to mask themselves online.
Unfortunately we don’t know if this attempt to identify the fraudster worked, but what is clear is that law enforcement are prepared to use techniques normally adopted by scammers to identify online criminals.
What also isn’t clear is quite what the FedEx feels about its brand being used to create yet more fake websites.
Brands that often find themselves at the centre of phishing scams often try to keep a close eye on fraudulent domains that pop up using variations of their name, in the hope of shutting them down before they do too much damage.
I wonder how complicated things might get when it’s the FBI rather than the fraudsters making the fake FedEx website.
To hear more discussion of this issue, be sure to check out this episode of the “Smashing Security” podcast.
Smashing Security #106: 'Google Maps, Fed phishing, and Grinch bots'
Listen on Apple Podcasts | Spotify | Google Podcasts | Pocket Casts | Other... | RSS
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “When the FBI rather than the fraudsters make a fake FedEx website”
It seems to me that this could also cause innocent people to be wrongly accused of crimes. Even if it's unlikely the fact it could theoretically happen is the problem. In my mind this is bordering on not following Blackstone's formulation. Nothing new for law enforcement of course but it's really a shame. But there's more to this.
It sets a precedent and if they're willing to do this what else will they be willing to do? It could cause even more problems in ways that we can't even predict and possibly even if we knew how far they would go. First they write laws about computer crime and then they do the same thing – quite hypocritically. But state sponsored has serious implications. And now this? What will they do next? Malware suspected strongly to be created by states, governments breaking into other government computers… I wouldn't say that it's the same thing as MAD but yet who knows? Could it ever become that or something similar? I'd rather not find out but when governments behave similarly to criminals it certainly is more perilous (in numerous ways). That governments don't seem to be bothered with this is maybe the scariest part of it – for if they're not bothered i.e. doing what they want for their own reasons (and in some cases 'agenda' might be a better word) they're less concerned with the implications in the future. That's dangerous. But I imagine this is all contentious too and that's all the more reason it shouldn't be done but if it has to be considered then discussed. But how do you bring that up without notifying the criminals, some might ask? Well the only difference here is that it's more dubious; it's not a new tactic totally.
And yes I imagine that FedEx might have some issues with this name. Understandably too.