The FBI Created a Fake FedEx Website To Unmask a Cybercriminal

In an attempt to catch two cybercriminals, the FBI set up a fake FedEx website and created rigged Word documents, "both of which were designed to reveal the IP address of the fraudsters," reports Motherboard. From the report: The first case centers around Gorbel, a cranes and ergonomic lifting manufacturing company headquartered in Fishers, New York, according to court records. Here, the cybercriminals used a long, potentially confusing and official looking email address to pose as the company's CEO Brian Reh, and emailed the accounts team asking for payment for a new vendor. The fraudsters provided a W9 form of a particular company, and the finance department mailed a check for over $82,000. Gorbel noticed the fraudulent transaction, and brought in the FBI in July. Shortly after, Gorbel received other emails pretending to be Reh, asking for another transfer. This time, the finance department and FBI were ready. The FBI created a fake FedEx website and sent that to the target, in the hope it would capture the hacker's IP address, according to court records. The FBI even concocted a fake "Access Denied, This website does not allow proxy connections" page in order to entice the cybercriminal to connect from an identifiable address.

That FedEx unmasking attempt was not successful, it seems -- the cybercriminal checked the link from six different IP addresses, some including proxies -- and the FBI moved on to use a network investigative technique, or NIT, instead. NIT is an umbrella term the FBI uses for a variety of hacking approaches. The FBI attempted to locate the cybercriminals with a Word document containing an image that would connect to the FBI server and reveal the target's IP address, according to court records. The image was a screenshot of a FedEx tracking portal for a sent payment, the court records add. Motherboard also details the second case that occurred in August 2017, where a business in the Western District of New York received an email claiming to be from Invermar, a Chilean seafood vendor and one of the company's suppliers, according to court records: This email, posing as a known employee of Invermar, asked the victim to send funds to a new bank account. Whereas the legitimate Invermar domain ends with a .cl suffix, the hackers used one ending in .us. The business the hackers targeted apparently didn't notice the different suffix, and over the course of September and October wire transferred around $1.2 million to the cybercriminals, with the victim eventually able to recover $300,000 (the court documents don't specify how exactly, although a charge back seems likely). To determine where this criminal was located, the FBI also decided to deploy a NIT.

"The FBI will provide an email attachment to the victim which will be used to pose as a form to be filled out by the TARGET USER for future payment from the VICTIM," one court record reads. The NIT required the target to exit "protected mode," a setting in Microsoft Word that stops documents from connecting to the internet. The warrant application says the government does not believe it needs a warrant to send a target an embedded image, but out of an abundance of caution, added to the fact that the target will need to deliberately exit protected mode, the FBI applied for one anyway. Both NITs were designed to only obtain a target's IP address and User Agent String, according to the warrant applications. A User Agent String can reveal what operating system a target is using. Although signed by two different FBI Special Agents, both of the NIT warrant applications come out of the Cyber Squad, Buffalo Division, in Rochester, New York.

So the FBI can only catch idiots with poor OPSEC?

[Anonymous Coward]

And the only way they can identify someone is to try to trick them into identifying themselves?

As much as I think the FBI is of questionable competence, I can't help but feel that there are other options to unmask someone committing crimes like these, and that this disclosure of techniques is designed to create a false sense of security. They want you to underestimate them, so that one of the techniques that they don't publicly blab about gets you.

Re: So the FBI can only catch idiots with poor OPS

[Anonymous Coward]

Seems like they could just follow the money... How did these companies pay that the FBI can't go to the receiving bamk and figure out who they are ??

Re:

[Anonymous Coward]

They did. Checks were going to some woman in Kentucky who would take them to a bank the criminal had accounts with and wired the money to Australia. The stupid woman didn't know his real name and believed the guy was in the military stationed in Afghanistan.

Re:

[AHuxley]

A home computer to modem to a consumer ISP has the one IP. MAC too :)

Re:

[gweihir]

The MAC does not help you a lot though. Also, it can be changed easily in many circumstances. I demonstrated this a while a while ago for a customer by putting a socketed flash chip on a network card. More visually impressive than the alternatives and I had a slow weekend. But in many cards you can just change the MAC purely in software.

Re: So the FBI can only catch idiots with poor OPS

[Anonymous Coward]

I haven't seen a nic with an unchangeable MAC since the 90s.

Re:

[AHuxley]

The US gov likes the MAC.
OAKSTAR https://theintercept.com/2018/... [theintercept.com]
"... known as a MAC address, a March 29, 2013 NSA memo"

Re: So the FBI can only catch idiots with poor OPS

[javaman235]

We all do, which begs the question, if this worked, why is it being posted here? Why do we need operational details on a sting against financial scammers?

They only have to screw up once

[raymorris]

The thing about opsec is you only have to screw up once. They tried getting the bad guy to connect without using a proxy, uaing the error message. The bad guy maintained opsec and didn't fall for it. So then they tried the next thing. If the bad guy didn't fall for that, the FBI would go to the next approach.

Re:They only have to screw up once

[AHuxley]

Re "next approach". They keep the powerful tools off the net as much as possible.
Cant have consumer AV discovering and reporting back on gov pushed software in the wild.

Re:

[rickb928]

Oh, you just send agents to the vendor explaining what it was, and they find a way to avoid interfering with 'legitimate' law enforcement.

Because, simply, someday they will call for help also.

Re:

[AHuxley]

Go full Magic Lantern software https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[Lonewolf666]

Arguably the bad guy continuing at all after the fake proxy request was bad OPSEC by itself. Detecting a trap should tell you that there is probably some police agency out to catch you.

Re:

[rickb928]

"there is probably some police agency out to catch you."

There is ALWAYS some police agency out to catch you. In this sort of crime, they are usually unable to actually catch you. You rush off the failed attempts and keep on.

This is excellent, however, if these articles discourage all but the very best to try.

Re:

[gl4ss]

well.. that and.. well.. pretty sure you would need a warrant to commit copyright, trademark etc fraud.

Re:

[rickb928]

Don't read much real news, do you? The FBI is righteous in this example, but not so much in others.

Nonetheless, perfect is the enemy of good.

This website does not allow proxy connections?

[h33t l4x0r]

That is some weak sauce right there, FBI.

Re:This website does not allow proxy connections?

[AlanObject]

That is some weak sauce right there, FBI.

What seems weak to me are the procedures used in the accounting departments of the companies that get scammed. These tricks being used should not work in the first place. Seriously, is nobody paying attention?

Re:

[Solandri]

What seems weak to me are the procedures used in the accounting departments of the companies that get scammed. These tricks being used should not work in the first place. Seriously, is nobody paying attention?

You seem to think these social engineering attempts are once in a blue moon things. When I was doing the accounting at a business, I got several of these every week. Some of them even came via snail mail (made up to look like a recurring monthly bill). Even if you're careful enough to catch 99.9% of

Re:

[account_deleted]

Comment removed based on user account deletion

Route by to not from

[AlanObject]

What I do, as I have my own domain, is to use a specific email per vendor

This should be a standard feature of every e-mail reader and web-based e-mail service regardless if the e-mail holder has their own domain. Even though I control my own infrastructure it is just a bit too much work for me so I don't do this for most accounts, but the advantage is obvious.

There used to be a quasi-standard where you could have an e-mail address john.doe+ebay@anydomain.com and mail agents would route by ignoring the + to the @ sign, but too many agents don't support it.

Re: This website does not allow proxy connections?

[Nidi62]

Get a bill from a regular supplier with a different payment location? Call them with the phone number you have on file (not the one in the email), to confirm the new details. Will stop that phishing right there.

Re:

[rickb928]

I work for a financial company. a big one, and some of our clients complain bitterly about how difficult it is to change things like bank information.

They ought to get a copy of this article. We have reasons why we make it not difficult, but accurate.

Re:This website does not allow proxy connections?

[Gravis Zero]

That is some weak sauce right there, FBI.

It's not stupid if it works. Social engineering is simply hacking a human instead of hacking computer program.

Re:

[rtb61]

I don't understand why they did not just put a tracker in the envelope with the cheque. How about a, call the police cheque, you know FBI, chat with the banks, do some fancy cheque number fiddles and when certain number cheques turn up to be cashed, call the police and FBI (the number sequence can be quite complex, computers can handle the alert). How about a little less, doughnut arse cyber sleuthing and a little more get off your ass policing.

Re:

[pnutjam]

up thread someone indicated they did track the check, but it was going to an ignorant mule.

Bad link

[azcoyote]

Um, first link seems to be wrong?

Re:

[93 Escort Wagon]

Um, first link seems to be wrong?

Careful! Now they're trying to locate YOU!

Great!

[nnull]

Although I admire the FBI's attempt to try to catch these guys as I've been hit by these fraudsters trying to pose as me or my accountants, emailing customers with invoices that look legitimate as mine and my people internally. But the FBI's technique was rather weak and exposes a huge weakness in a lot of corporate environments. A lot of these places have no way to check the legitimacy and will pay right away. This is a bigger problem than people realize.

Re:

[John Jorsett]

Think about it. If you were the FBI would you announce your best investigative techniques to the world? These are likely obsolete methods or even ones that they've considered but never used because they have better ones.

Question

[kqc7011]

Did Gorbel ever think of picking up a phone, calling a known person at the other company asking if and where should the money be sent?

Summary?

[rickb928]

The summary link claiming to be about the article, " FBI set up a fake FedEx website and created rigged Word document", goes somewhere entirely unrelated.

When did that happen?

Wrong Article link.

[AdamD1]

The actual link to the motherboard story is this one:

https://motherboard.vice.com/e... [vice.com]

This post links to a totally different article.

Pay accountants more?

[omfglearntoplay]

Maybe if they paid their accountants more, or hired more of them so they weren't overwhelmed, less companies would be losing money to criminals.