Slashdot Mirror

← Back to Stories (view on slashdot.org)

Feds Thwart Extortion Plot Against Best Buy

Posted by timothy on from the black-hat-size-extra-small dept.

hiero writes "From an article in the Star Tribune: 'Federal authorities said Tuesday they thwarted an extortion plot against Best Buy Co. Inc. by a man who sent the company an e-mail threatening to expose what he claimed were weaknesses in the retailer's computer system unless he was paid $2.5 million.' What's really interesting to me, though, is this paragraph further on in the article: 'The federal search warrant was obtained the morning of Oct. 24 and allowed the FBI, with Best Buy's cooperation, to use an Internet device known as an Internet Protocol Address Verifier. It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address. The response allowed investigators to identify Ray as the sender of the e-mail threats, according to the government.' Internet Protocol Address Verifier? Is this Carnivore in action?"

35 of 942 comments (clear)

  1. I think... by Anonymous Coward · · Score: 5, Funny

    I think it's called a return receipt :-D Probably was using Outlook which automagicly sends one when requested.

    Blogzine

    1. Re:I think... by 1u3hr · · Score: 5, Insightful
      Sorry but no is doesn't, I use outlook at work and i have to allow mine to return a reciept, if i cancel the request nothing is returned to the sender

      But if you reeive an HTML message that includes an IMG link to the senders' site, when Outlook displays the image (even if it's an invisble 1 pixel one) they have your IP. There are ways to block this, but it's on by default. Spammers use this to verify your address.

    2. Re:I think... by isorox · · Score: 5, Funny

      I do wonder about the sanity of our boss, who sends an all-employee email out (5 in the last two months) with a read receipt request. IIRC there's somewhere in the region of 20,000 employees.

  2. No Wonder by PoitNarf · · Score: 5, Funny

    That's what happens when you try to extort a big company using Outlook.

    --

    "0101100101? It's just jibberish. *looks in mirror, gasps* 1010011010@!? AHHHHHH!!"
  3. IP Address Verifier == web bug by morzel · · Score: 5, Interesting
    "Internet Protocol Address Verifier? Is this Carnivore in action?"
    Methinks that would be marketing speak for an HTML mail with a web bug (1x1 transparent pixel image loaded from remote server). If the 'villain' is using a mail program that displays HTML, his IP address is logged.

    --
    Okay... I'll do the stupid things first, then you shy people follow.
    [Zappa]
    1. Re:IP Address Verifier == web bug by orthogonal · · Score: 5, Interesting

      Methinks that would be marketing speak for an HTML mail with a web bug

      That's my guess too. If so, had the extortionist had his mail client set up like mine, he wouldn't have had his IP "verified".

      My client, actually, is the (rightfully) much maligned Microsoft Outlook, but I don't have a problem with web bugs, because my firewall only allows Outlook to connect to one address -- my domain's mail server -- and only to two ports at that address, ports 110 and 25.

      This means no web bugs or any referenced (as opposed to inlined) images are ever displayed. In the few cases where I actually want to see referenced images, this is a minor inconvenience, but it's more than offset by knowing that no spammer -- or corporation -- ever gets verification of my email address.

      For most mail, of course, it's not an issue. Important email rarely if ever contains referenced images; indeed I discourage anyone from sending me HTML-encoded email at all.

      And if I want to view a url included in an email, I just click on it, and Firebird (which is allowed to connect to any address, so long as it's to port 80) displays the url. If I really want to see an email in its full glory (and I never do), I can always save it and then open it in Firebird.

      --
      Opinions on the Twiddler2 hand-held keyboard?
    2. Re:IP Address Verifier == web bug by DrSkwid · · Score: 5, Insightful

      >if this is the case then this simply re-enforces my belief that criminals are some of the stupidest on the planet.

      clever criminals don't get caught so you don't hear about them

      FBI Files and COPS tend not to show you cases where the perpetrator outwitted the victims *and* the police *and* the FBI.

      --
      There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  4. Just a little "bug" in the mail, silly wabbit by Kwelstr · · Score: 5, Informative

    Easy does it. You don't need a big surveillance program, just add a bug to your email that "grabs" the reader's IP addy and voila!

    Easy does it, apply the KISS principle to life.

    --


    ~~~Please pass the salt, I hate unsalted MD5s :-/
    1. Re:Just a little "bug" in the mail, silly wabbit by wljones · · Score: 5, Informative

      Go to http://www.grc.com . It will probably give back the IP address of the caller along with an explanation of how anyone can do this. Steve Gibson goes on to say that anonymity is not easy on the Internet, and assuming your messages are anonymous is foolish.

  5. Well, ironic isn't it? by metlin · · Score: 5, Interesting

    One one hand, if a genuine white hat hacker finds an exploit in a network and told the owners about it, s/he finds himself ostracized for the actions, and is threatened with legalities.

    And on the other hand, what this guy tried to do was establish a "business relationship" -- notice that he did try to contact them first with the offer to help them:

    The e-mail also offered to establish an unspecified business relationship between the sender and Best Buy, adding: "Without your response, we are obligated to share the security hole with the public for their protection. As a result, Best Buy may experience a loss in business, thefts and lawsuits."

    Ofcourse, once he noticed he wasn't getting anywhere, he decided to resort to good ole' blackmail.

    Honestly, this was bound to happen some day or the other. When legitimate security people point out bugs and holes, they get treated like scum and are threatened with law suits. So whats the best thing to to? Threaten the companies with money. Even if 0.1% of the companies gave in, it still is a way of making money.

    Good, atleast this way companies will be more careful about protecting data.

    1. Re:Well, ironic isn't it? by UnknowingFool · · Score: 5, Insightful
      When legitimate security people point out bugs and holes, they get treated like scum and are threatened with law suits. So whats the best thing to to? Threaten the companies with money. Even if 0.1% of the companies gave in, it still is a way of making money

      Although the article is not very detailed in this aspect, his actions do not speak of someone trying to help BestBuy. Some of the info is not released due to security concerns and pending litigation but this seems more like a black mail scheme more than anything else. If he was serious about helping BestBuy, asking for money ($2.5 million) sent the wrong message because the mafia also used terms like "business relationship" and "offer they can't refuse" when shaking down people as well. Until we know more, all we know is that he said enough in his emails that BestBuy and government thought he was threatening.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
  6. Where is the line to be drawn? by etymxris · · Score: 5, Insightful

    Is it when he offered a "business relation" in exchange for fixing the problem? Or was it when he threatened to disclose the flaw? Or was it merely because he wanted money in return?

    Had he just disclosed the flaw, would he more or less a criminal, ethically and legally speaking? It seems that worse would have come if he had simply published the flaw right away.

    Was he justified in asking for compensation for his findings? If not, this seems to obligate us to "work for free" when discovering such a security problem.

    What do others here think?

  7. Carnivore? More like overreaction by bwalling · · Score: 5, Insightful

    They got a warrant BEFORE they used the program. Whatever the program did - read information from his PC or just return IP address - it was a valid, legal search. We should be considering this a victory for our rights. The only way I can see anyone complaining about this is if the warrant was improperly obtained, but it seems entirely reasonable to "search" the email address that has been attempting blackmail.

  8. What carnivore does. by Chrysophrase · · Score: 5, Informative

    Over here there is a Congressional Statement of what Carnivor "officialy" does, or is "allowed" to do. One paragraph of this statement:

    Carnivore is a very effective and discriminating special purpose electronic surveillance system. Carnivore is a filtering tool which the FBI has developed to carefully, precisely, and lawfully conduct electronic surveillance of electronic communications occurring over computer networks. In particular, it enables the FBI, in compliance with the Constitution and the Federal electronic surveillance laws, to properly conduct both full communications' content interceptions and pen register and trap and trace investigations to acquire addressing information.

    gives us the gist of it. So yes this very well be Carnivore in action.

    --
    "It usualy starts with some screaming. Afterwards there is much running around."
  9. Google appears to be stumped too by chronus22 · · Score: 5, Interesting

    This is the first time google has heard about it as well, apparently.

  10. Concerns about Best Buy by Anonymous Coward · · Score: 5, Interesting

    I'm much more concerned that their cash registers use WiFi without a lick of encryption... I read several stories a while back about people sitting out in the parking lot with sniffers, capturing credit card information...

  11. Re:Web bug (Handy for job application e-mails) by mosschops · · Score: 5, Informative

    You cant turn off HTML in M$ LookOut

    Oh yes you can - something I rely on to avoid spammers using the same trick!

    this dude dosent sound very clued up

    My thought exactly ;-)

  12. Re:Web bug (Handy for job application e-mails) by Rosco+P.+Coltrane · · Score: 5, Funny

    A top tip (tm) is to embed a web bug in a job aplication e-mail. Its interseting to watch your aplication being pushed around various departments and see who actually reads it.

    Yes, it's very interesting. For example, here's the log of all the machines who accessed my web bug when applied for a job at the DHS:

    frontdesk.dhs.gov
    hr.dhs.gov
    check.dhs.gov
    ch eck.ins.gov
    check.irs.org
    it.dhs.org
    counterter rorism.dhs.org
    legal.dhs.org
    submitsubpoena.aol. com
    bust.usmarshals.gov
    brb 2 secs, someone's at the door...

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  13. If he had used spammer techniques.. by Karl+Prince · · Score: 5, Informative
    would they have caught him

    and few other ways of hiding yourself, as below

    1. Dedicated firewalled Linux Laptop with WLAN, and changing MAC
    2. WarDrive around for a unsecure internet connection.
    3. Use proxies from unsecured PC's, lists available from DBL providers, or you Email server logs.
    4. Setup up a web mail account, and send business proposal.
    5. WarDrive to other access poiunt for continuing dialog
    6. Travel around a bit to avoid setting a Wardrive pattern

    I would think this would be very difficult to trace without social engineering

    --

    mailto:EatSpamAndDie@princeweb.com
  14. Re:is carnivore bad? by Anonymous Coward · · Score: 5, Informative

    Is this Carnivore in action?

    No, it isn't. Like another poster said, this is really just a web bug. Carnivore is a sophisticated system for parsing billions of e-mails and flagging interesting things like threats against the President for analysts to examine, but has nothing to do with validating return addresses or anything like that.

    The only way to actually know that someone is actually receiving your e-mail at a particular location is to include a web bug that reports their IP address back to you, by opening a socket connection directly to something on a server you own (e.g. an image). So either include an image in the e-mail which is requested from your server, or include a trojan that "phones home" when they run it.

    It works. Try it the next time you want to see who's really spamming you. Just send a web bug to whatever the response address is they want you to contact, (you know, for your Nigerian money-laundering instructions), and then examine your server logs carefully to find out where they really are in the world. Of course, you could also send them a backdoor if you wanted, instead of just a beacon, but I would never countenance such uncivilized behavior :)

  15. This doesn't make sense by kmeson · · Score: 5, Insightful
    We are to believe that this guy is savvy enough to spoof his email headers so that his email address can't be traced, but not smart enough to turn off receipt verification and HTML rendering in his email program.

    You have to realize that we are getting our information about this incident from a NEWSPAPER, which the very least reliable source for technical topics. Remember this clueless newspaper article?

    I'd say we know little about what actually happened here.

  16. What are you supposed to do? by Anonymous Coward · · Score: 5, Interesting

    (Somewhat off-topic, but a related topic, honestly)

    About a month ago I discovered what could be deemed a weakness in a relatively popular online merchant's order status system, allowing anyone to view the order status for any order in the system just by changing an ID field in the URL. I often try changing such values in URLs like this for no real reason (a habit from designing my own web-based scripts), and I've never found an exploit until now.

    So with a simple perl script, it would be possible to download and parse the mailing address, shipping address, items ordered, amount paid, credit type (NOT credit card type or credit card number, thankfully) and other assorted information for any given order. After some brief checking, I determined there were over five million orders viewable in this manner, going back a few years.

    So what am I supposed to do? I have no interest in establishing a 'business relationship' with this online merchant, telling everyone how to do it seems like it would cause more harm than good, and I fear being ostracized or even litigated for 'hacking' if I tell the company, even if all I did was change a sequential, non-encrypted number in an URL.

    Or is the information accessible not a big deal to worry about?

  17. Wait until he actually received the payment ... by Anonymous Coward · · Score: 5, Funny

    Imagine his surprise when he received a $2.5 million Best Buy Gift Card in the mail. Doh!

  18. HTML bug by teddlesruss · · Score: 5, Interesting

    I imagine that yep, this person isn't savvy enough to not use html email, and they slipped a web bug into the email. Hell I'd try it just on the off chance, and it looks like it paid off for your Feds that time...

    I've had one case where a friend and I were writing a boobytrapped shell on a Linux box, to use as the login shell for a suspected system cracker, and he logged in, saw the new shell (which we hadn't quite installed yet) and RAN THE BLOODY THING FOR US! We got all the data we needed to track him down right there and then, phoned his ISP and got him shut off on the spot.

    So - yes, even the more savvy often do really really stupid things...

    --
    -- ted russ http://www.arach.net.au/~ted/mydynes/ http://www.arach.net.au/~ted/myblogs/
  19. Please Think Before Exposing Paranoia by reallocate · · Score: 5, Insightful

    This is not surveillance. This is just identifying the IP address of the recipient of email. Seems to me that's rather similar to using ping or whois. IP addresses and domain registrations are public, not private.

    It's also rather similar to your local mail carrier knowing where you live. Is that surveillance, too, or are you simply paranoid?

    If Best Buy had received the same threat via snail mail, and the FBI looked at the return address on the envelope, would you be screaming about surveillance?

    The Internet is not some mystical land that exists apart from reality and the law, contrary to the constant stream of silly /. posts that sxeem to believe otherwise. Get over it. The Internet is not special and people don't get a free pass because they use it for criminal behavior.

    Next time, please think bekore exposing yourself as a paranoid llon, OK?

    --
    -- Slashdot: When Public Access TV Says "No"
    1. Re:Please Think Before Exposing Paranoia by Glamdrlng · · Score: 5, Informative

      I disagree. If a private citizen were being extorted for 2.5 mil, the feds would be willing to get involved. It's when the script kiddy down the street is extorting the local cyber cafe for free coffee that the feds won't touch it. Last I checked, the loss had to be above $5000 for the feds to investigate computer crime. That was a couple years ago though, don't know what it is now.

      --

      Yes, my only tool is a hammer. And you're starting to look like a nail.
    2. Re:Please Think Before Exposing Paranoia by I8TheWorm · · Score: 5, Informative

      $5000 is still the low cutoff for felony theft... anything below is a misdimeanor and gets handled at the local level.

      --
      Saying Android is a family of phones is akin to saying Linux is a family of PCs.
  20. Re:U.S. government surveillance by Anonymous Coward · · Score: 5, Funny

    Somehow, this power accumulation and surveilance (sic) reminds me of Senator Palpatine. I just hope I'm wrong.

    Huh. It reminded me of Stalin and Beria and the NKVD, but you're right, better we should take our lessons from space opera than from history.

    In Imperial Coruscant, history takes lessons from YOU!

  21. Re:is carnivore bad? by Sivaram_Velauthapill · · Score: 5, Insightful

    Obviously you have never lived in a country that kills its OWN citizens. Obviously you haven't heard of the totalitarian regimes in Germany, USSR, and USA's close friends Saudi Arabia and Egypt. Obviously you haven't heard of the damage done to civil rights activists in the 60's by the FBI and the CIA. Obviously you have never been targetted by the police. Obviously you are not a minority man (particularly black) living in some parts of USA. Obviously you haven't heard of the infiltration of the FBI by organized criminals (particularly the Italian mafia in the 60's and 70's). Obviously you haven't heard of police fabricating information and jailing people. Obviously you haven't heard of the government cooking up bogus charges and jailing people. Obviously McCarthyism is not part of your collective mind. Obviously you haven't heard of John Ashcroft's recent decree to spy on antiwar activists. Obviously you believe the legal system represent justice....Obviously you underestimate the power of the goverment.

    So to answer your question, I would rather have some guy off the street spying on me than the goverment ANY DAY OF THE WEEK! There is something that you don't understand about the government--any government. Governments are far more powerful than 1000 people put together! They have immense power. The illusion of a legal system--which IS an illusion--does not change any of this. One just needs to look through the history of the government that you live under to see what I mean (I picked USA but you can pick any govt).

    Sivaram Velauthapillai

    --
    Sivaram Velauthapillai
    Seeking the meaning of life... @slashdot of all places ;)
  22. Re:If you break in to someone's system by quonsar · · Score: 5, Funny
    My house has many known security flaws. The largest would be the windows.

    hey! just like my computer!

    </obligatory karma whoring>

    --

    Sacred cows make the best burgers.

  23. Double Standard by delcielo · · Score: 5, Insightful

    We applaud the hackers who so cleverly get around protections on technology. We had our "Free Kevin Mitnick" and "Free Dmitry" campaigns.

    Here is a nice hack done for a good reason by the same law enforcement that is supposed to investigate and stop such crimes as extortion. And how do we react? Government spying! Conspiracy!

    Really. That's just not very reasonable on our part.

    --
    Hot Damn! It's the Soggy Bottom Boys!
  24. Re:What are you supposed to do? - options by silverbax · · Score: 5, Insightful

    I've actually run into this issue a few times. The action I've taken in the past pretty much directly relates to the severity of the security flaw. For example, I've seen URL hacks which allow you to grab another customer's credit card information, and then some which allow only address information.

    My rule of thumb is that if a piece of information can be obtained and tracked to a specific individual, it's dangerous. That's the rule I use in my work as well.

    When I decide the situation warrants it, I send a professional, formal email to the company ( also the web admin if there is one ), stating what I found, screenshots and leave it at that. Sometimes I will point out that I intended to place an order, but halted when I saw the issue. I also let the company know they may contact me if more information is needed.

    This is what has happened in the past following these emails:

    1. Almost all companies send me an email thanking me and letting me know the problem has been corrected, and it has been. Case closed.

    2. I get a nasty email from the company ( usually this is with SMALL operations) telling me to take my business elsewhere. At first I would attempt to politely explain the risk, but soon realized that some sites have no intention of listening to me, and gave up. In that case, I may notify the BBB or other organization just to get someone else on their tail. I don't have time to chase down other people's security holes, so the best I can hope for is to let others know.

    In any case, I always use the Enron rule: What if I later had to explain my actions to a grand jury?

  25. Re:However, a bug says: "you're being bugged" by petard · · Score: 5, Insightful

    The problem with an embedded image bug is that if the recipient views the source of the email -- and presumably this alleged extorter is a techie -- it's easy to spot such a bug, and so there's a real risk that including a bug would tip him off to the investigation.

    Only when you're doing mass mailings. If it's targeted, it is indistinguishable from a standard image... e.g.

    http://corporate.bestbuy.com/images/corporatelog o. jpg

    could be a web bug if you only send that URL to one person. The reason it's more obvious in mass mailings is because they require a unique identifier to have something to map back to the email address such that they can verify the address as live.

    --
    .sig: file not found
  26. Belongs on America's Dumbest by salesgeek · · Score: 5, Funny

    Here are three ways to get on America's Dumbest:

    1. Rob Taco Bell right after filling out job appication and interview. Be arrested when cops show up at your address on the application.

    2. Send extortion/blackmail emails using MS-Outlook from your normal ISP account. Be busted when FBI sends email using marketing tool like Neighborhood Email or eZine Manager. FBI is too embarassed to admit they used an e-newsletter tool and come up with the "ip address verifier" device.

    3. Shoplift naked. Be arrested when cop identifies the incredibly stupid butcher's meat chart tatoo when streaking through campus on a dare.

    4. Keep crack pipe, crack and lighter in glove box. Be arrested when you see a billboard advising "Drug checkpoint next exit" and begin throwing crack, lighter and pipe out the window while police are video taping looking for people throwing drugs and paraphanellia out the window.

    --
    -- $G
  27. Re:is carnivore bad? by macho · · Score: 5, Informative

    If you're looking for sources of information, Ward Churchill and Jim Vander Wall's book Agents of Repression: The F.B.I.s Secret Wars Against the Black Panther Party and the American Indian Movement (South End Press) is a good start. When large numbers of readers refused to believe the stuff they had written (even though it extensively referenced the FBI's own documents), they did a follow-up book that just reprinted the FBI material called The COINTELPRO Papers: Documents from the FBI's Secret Wars Against Dissent in the United States. Harder to disbelieve that, I guess.