[Note: This item comes from reader Randall Head. DLH]
The FBI Created a Fake FedEx Website to Unmask a Cybercriminal
In an attempt to identify someone tricking a company into handing over cash, the FBI created a fake FedEx website, as well as deployed booby-trapped Word documents to reveal fraudsters’ IP addresses.
By Joseph Cox
Nov 26 2018
The FBI has started deploying its own hacking techniques to identify financially-driven cybercriminals, according to court documents unearthed by Motherboard. The news signals an expansion of the FBI’s use of tools usually reserved for cases such as child pornography and bomb threats. But it also ushers in a potential normalization of this technologically-driven approach, as criminal suspects continually cover up their digital trail and law enforcement have to turn to more novel solutions.
The two 2017 search warrant applications discovered by Motherboard both deal with a scam where cybercriminals trick a victim company into sending a large amount of funds to the scammers, who are pretending to be someone the company can trust. The search warrants show that, in an attempt to catch these cybercriminals, the FBI set up a fake FedEx website in one case and also created rigged Word documents, both of which were designed reveal the IP address of the fraudsters. The cases were unsealed in October.
“What kinds of criminals mask their location, and for what kinds of crimes? Child pornography, yes; violent threats, yes; but also organized-crime rings engaged in cybercrime. A business email compromise scam, like those at issue in these warrants, falls squarely in that camp,” Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society, told Motherboard in an online chat after reviewing the documents.
The first case centers around Gorbel, a cranes and ergonomic lifting manufacturing company headquartered in Fishers, New York, according to court records. Here, the cybercriminals used a long, potentially confusing and official looking email address to pose as the company’s CEO Brian Reh, and emailed the accounts team asking for payment for a new vendor. The fraudsters provided a W9 form of a particular company, and the finance department mailed a check for over $82,000. Gorbel noticed the fraudulent transaction, and brought in the FBI in July. Shortly after, Gorbel received other emails pretending to be Reh, asking for another transfer. This time, the finance department and FBI were ready.
The FBI created a fake FedEx website and sent that to the target, in the hope it would capture the hacker’s IP address, according to court records. The FBI even concocted a fake “Access Denied, This website does not allow proxy connections” page in order to entice the cybercriminal to connect from an identifiable address. (GoDaddy has since repossessed the domain, and the domain did briefly resolve to an IP address in Rochester, New York, where the FBI Special Agent writing the application is based, according to online records).
It is not clear if the FBI sought permission from FedEx to digitally impersonate the company. FedEx did not respond to a request for comment, and the FBI did not provide a response to questions around the specific incident.
Notably, only one other domain has previously resolved to the same IP address as the fake FedEx page; a domain that eludes to a law firm. The site only existed for a short time, is offline at the time of writing, and seems to have a very small digital fingerprint. It appears this law firm domain may also be connected to the FBI.
That FedEx unmasking attempt was not successful, it seems—the cybercriminal checked the link from six different IP addresses, some including proxies—and the FBI moved on to use a network investigative technique, or NIT, instead. NIT is an umbrella term the FBI uses for a variety of hacking approaches. Previous cases have used a Tor Browser exploit to break into a target’s computer and force it to connect to an FBI server, revealing the target’s real IP address. Other NITs have been somewhat less technically sophisticated, and included booby-trapped video or Word files that once opened also ‘phone home’ to the FBI.
This new NIT falls into that latter category. The FBI attempted to locate the cybercriminals with a Word document containing an image that would connect to the FBI server and reveal the target’s IP address, according to court records. The image was a screenshot of a FedEx tracking portal for a sent payment, the court records add.
In the second case found by Motherboard, in August 2017, a business in the Western District of New York received an email claiming to be from Invermar, a Chilean seafood vendor and one of the company’s suppliers, according to court records. This email, posing as a known employee of Invermar, asked the victim to send funds to a new bank account. Whereas the legitimate Invermar domain ends with a .cl suffix, the hackers used one ending in .us. The business the hackers targeted apparently didn’t notice the different suffix, and over the course of September and October wire transferred around $1.2 million to the cybercriminals, with the victim eventually able to recover $300,000 (the court documents don’t specify how exactly, although a charge back seems likely).