Slashdot Mirror
The FBI Created a Fake FedEx Website To Unmask a Cybercriminal (9to5mac.com)
In an attempt to catch two cybercriminals, the FBI set up a fake FedEx website and created rigged Word documents, "both of which were designed to reveal the IP address of the fraudsters," reports Motherboard. From the report: The first case centers around Gorbel, a cranes and ergonomic lifting manufacturing company headquartered in Fishers, New York, according to court records. Here, the cybercriminals used a long, potentially confusing and official looking email address to pose as the company's CEO Brian Reh, and emailed the accounts team asking for payment for a new vendor. The fraudsters provided a W9 form of a particular company, and the finance department mailed a check for over $82,000. Gorbel noticed the fraudulent transaction, and brought in the FBI in July. Shortly after, Gorbel received other emails pretending to be Reh, asking for another transfer. This time, the finance department and FBI were ready. The FBI created a fake FedEx website and sent that to the target, in the hope it would capture the hacker's IP address, according to court records. The FBI even concocted a fake "Access Denied, This website does not allow proxy connections" page in order to entice the cybercriminal to connect from an identifiable address.
That FedEx unmasking attempt was not successful, it seems -- the cybercriminal checked the link from six different IP addresses, some including proxies -- and the FBI moved on to use a network investigative technique, or NIT, instead. NIT is an umbrella term the FBI uses for a variety of hacking approaches. The FBI attempted to locate the cybercriminals with a Word document containing an image that would connect to the FBI server and reveal the target's IP address, according to court records. The image was a screenshot of a FedEx tracking portal for a sent payment, the court records add. Motherboard also details the second case that occurred in August 2017, where a business in the Western District of New York received an email claiming to be from Invermar, a Chilean seafood vendor and one of the company's suppliers, according to court records: This email, posing as a known employee of Invermar, asked the victim to send funds to a new bank account. Whereas the legitimate Invermar domain ends with a .cl suffix, the hackers used one ending in .us. The business the hackers targeted apparently didn't notice the different suffix, and over the course of September and October wire transferred around $1.2 million to the cybercriminals, with the victim eventually able to recover $300,000 (the court documents don't specify how exactly, although a charge back seems likely). To determine where this criminal was located, the FBI also decided to deploy a NIT.
"The FBI will provide an email attachment to the victim which will be used to pose as a form to be filled out by the TARGET USER for future payment from the VICTIM," one court record reads. The NIT required the target to exit "protected mode," a setting in Microsoft Word that stops documents from connecting to the internet. The warrant application says the government does not believe it needs a warrant to send a target an embedded image, but out of an abundance of caution, added to the fact that the target will need to deliberately exit protected mode, the FBI applied for one anyway. Both NITs were designed to only obtain a target's IP address and User Agent String, according to the warrant applications. A User Agent String can reveal what operating system a target is using. Although signed by two different FBI Special Agents, both of the NIT warrant applications come out of the Cyber Squad, Buffalo Division, in Rochester, New York.
That FedEx unmasking attempt was not successful, it seems -- the cybercriminal checked the link from six different IP addresses, some including proxies -- and the FBI moved on to use a network investigative technique, or NIT, instead. NIT is an umbrella term the FBI uses for a variety of hacking approaches. The FBI attempted to locate the cybercriminals with a Word document containing an image that would connect to the FBI server and reveal the target's IP address, according to court records. The image was a screenshot of a FedEx tracking portal for a sent payment, the court records add. Motherboard also details the second case that occurred in August 2017, where a business in the Western District of New York received an email claiming to be from Invermar, a Chilean seafood vendor and one of the company's suppliers, according to court records: This email, posing as a known employee of Invermar, asked the victim to send funds to a new bank account. Whereas the legitimate Invermar domain ends with a .cl suffix, the hackers used one ending in .us. The business the hackers targeted apparently didn't notice the different suffix, and over the course of September and October wire transferred around $1.2 million to the cybercriminals, with the victim eventually able to recover $300,000 (the court documents don't specify how exactly, although a charge back seems likely). To determine where this criminal was located, the FBI also decided to deploy a NIT.
"The FBI will provide an email attachment to the victim which will be used to pose as a form to be filled out by the TARGET USER for future payment from the VICTIM," one court record reads. The NIT required the target to exit "protected mode," a setting in Microsoft Word that stops documents from connecting to the internet. The warrant application says the government does not believe it needs a warrant to send a target an embedded image, but out of an abundance of caution, added to the fact that the target will need to deliberately exit protected mode, the FBI applied for one anyway. Both NITs were designed to only obtain a target's IP address and User Agent String, according to the warrant applications. A User Agent String can reveal what operating system a target is using. Although signed by two different FBI Special Agents, both of the NIT warrant applications come out of the Cyber Squad, Buffalo Division, in Rochester, New York.
And the only way they can identify someone is to try to trick them into identifying themselves?
As much as I think the FBI is of questionable competence, I can't help but feel that there are other options to unmask someone committing crimes like these, and that this disclosure of techniques is designed to create a false sense of security. They want you to underestimate them, so that one of the techniques that they don't publicly blab about gets you.
Seems like they could just follow the money... How did these companies pay that the FBI can't go to the receiving bamk and figure out who they are ??
A home computer to modem to a consumer ISP has the one IP. MAC too :)
Domestic spying is now "Benign Information Gathering"
I question your "reading competence"
It shows you what kind of devious scum the FBI are out to catch. Good on them for trying the 'easy' ways first. I hope in both cases that they get the perps and put them away for a long, long time.
"A User Agent String can reveal what operating system a target is using." I tend to doubt they go by that.
That is some weak sauce right there, FBI.
Um, first link seems to be wrong?
Incipiamus, fratres, servire Domino Deo, quia hucusque vix vel parum in nullo profecimus.
The MAC does not help you a lot though. Also, it can be changed easily in many circumstances. I demonstrated this a while a while ago for a customer by putting a socketed flash chip on a network card. More visually impressive than the alternatives and I had a slow weekend. But in many cards you can just change the MAC purely in software.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Did you mean 'reading comprehension'? Might want to try to brush up on it yourself.
The thing about opsec is you only have to screw up once. They tried getting the bad guy to connect without using a proxy, uaing the error message. The bad guy maintained opsec and didn't fall for it. So then they tried the next thing. If the bad guy didn't fall for that, the FBI would go to the next approach.
Actually no, I meant "reading competence" so it would be connotative of reading comprehension but still riff off you calling into question the FBI's competence based on the poor wording of some dumb article. That's all, idiot.
I haven't seen a nic with an unchangeable MAC since the 90s.
They did. Checks were going to some woman in Kentucky who would take them to a bank the criminal had accounts with and wired the money to Australia. The stupid woman didn't know his real name and believed the guy was in the military stationed in Afghanistan.
The FBI doesn't catch *anyone*. They only catch people who are handed to them by other people. I've dealt with their computer crime labs on several occasions, and they are simply not set up to catch or prosecute *anyone*, only to hand off information to others and try to take credit for the work.
The US gov likes the MAC.
OAKSTAR https://theintercept.com/2018/...
"... known as a MAC address, a March 29, 2013 NSA memo"
Domestic spying is now "Benign Information Gathering"
But then this is the FBI, they haven't worked under the law for decades
We all do, which begs the question, if this worked, why is it being posted here? Why do we need operational details on a sting against financial scammers?
-The art of programming is the pursuit of absolute simplicity.
I suppose that depends on who posted it. The FBI? Doubtful. More likely someone who wants to expose their techniques and give future criminals a heads-up on what to watch out for.
well.. that and.. well.. pretty sure you would need a warrant to commit copyright, trademark etc fraud.
world was created 5 seconds before this post as it is.
Once again the terrible "Editors" at slashdot dont even bother to directly link to the article they are supposedly "reporting" on.
https://motherboard.vice.com/en_us/article/d3b3xk/the-fbi-created-a-fake-fedex-website-to-unmask-a-cybercriminal
Terrible editors, but who's surprised anymore?
That FedEx unmasking attempt was not successful ...
Will the FBI remind us again that encryption back-doors will protect us: I keep forgetting.
Counter-intel guys have been doing this for years in Eve Online. Goonswarm's guy was particularly good at it. Maybe he went to the FBI after he retired his Eve game.
Although I admire the FBI's attempt to try to catch these guys as I've been hit by these fraudsters trying to pose as me or my accountants, emailing customers with invoices that look legitimate as mine and my people internally. But the FBI's technique was rather weak and exposes a huge weakness in a lot of corporate environments. A lot of these places have no way to check the legitimacy and will pay right away. This is a bigger problem than people realize.
https://www.youtube.com/watch?v=hkDD03yeLnU
"This email, posing as a known employee of Invermar,"
So an e-mail was posing as a person. Okay...
You meant to say "This email, FROM AN INDIVIDUAL posing as a known employee".
Fucking cretins.
Nazi homosexual recruiter RAY MORRIS pushing debunked Nazi propaganda even after corrected, #ROPE
You're the bully.
Did Gorbel ever think of picking up a phone, calling a known person at the other company asking if and where should the money be sent?
Passionately Indifferent
...it'd be great if Outlook & other email clients checked incoming & outgoing email addresses against the accounts' address book & flagged any new addresses. Who knows, it might inform employees when they're about to send large amounts of money to criminals?
How much did this cost vs how much was the criminal costing the general public?
And the only way they can identify someone is to try to trick them into identifying themselves?
As much as I think the FBI is of questionable competence, I can't help but feel that there are other options to unmask someone committing crimes like these, and that this disclosure of techniques is designed to create a false sense of security. They want you to underestimate them, so that one of the techniques that they don't publicly blab about gets you.
I wouldn't question anything, and you shouldn't too unless you are one of those who work in the bureau. I have no idea how their work culture is. I have no idea what evidence they need in order to ensure that they can use it in the court. I have no idea what limitation that they can and cannot do. Of course, I can assume what they should do. However, assumption does not always make things practical in real life. The only place it works is in movies. So I expect people to try to understand why they did it their way instead of assume and become a SJW.
The FBI doesn't catch *anyone*. They only catch people who are handed to them by other people. I've dealt with their computer crime labs on several occasions, and they are simply not set up to catch or prosecute *anyone*, only to hand off information to others and try to take credit for the work.
If you give a credible info that can be used as evidence in an arrest (using their brain), then you should be credited for the work. The people who arrest the guy simply do their job by flexing their muscle. What's wrong with that?
Don't read much real news, do you? The FBI is righteous in this example, but not so much in others.
Nonetheless, perfect is the enemy of good.
deleting the extra space after periods so i can stay relevant, yeah.
The summary link claiming to be about the article, " FBI set up a fake FedEx website and created rigged Word document", goes somewhere entirely unrelated.
When did that happen?
deleting the extra space after periods so i can stay relevant, yeah.
The actual link to the motherboard story is this one:
https://motherboard.vice.com/e...
This post links to a totally different article.
Because I can! [Brainrub.com]
gweihir KNEW u IMPERSONATE me https://it.slashdot.org/commen... c6gunner proves it https://linux.slashdot.org/com... & forgot to SUBMIT AC & used his registered 'lusrname' (he tried to mock me both BEFORE & after I FAIRLY challenged him to show he's done better work - he had ZERO).
I'd never "cry victim" to ne'er-do-wells (TROLLS, not all /.ers) either.
U EVEN HELPED ME https://science.slashdot.org/c... (& then realizing it you quit trying to make me look bad via what you thought were lies on hosts as "ME" IN YOUR IMPERSONATIONS of me e.g. https://tech.slashdot.org/comm... on speculative execution attack: Hosts PREVENT 'EM, joke's on you)
APK
P.S.=> 2nd to last link's KILLING U THAT U HELPED ME & got me to see if hosts stop portsmash/meltdown/spectre & yes - hosts WORK on 'em - U LOSE + FAIL a PORTFILTER TEST https://yro.slashdot.org/comme...
Time for me to be "that guy" and point out that Linux could have prevented this. No self-respecting "cybercriminal" hasn't heard of Tails and Kali. What a couple of amateurs, using Microsoft products and thinking they're untraceable. No wonder they got caught.
Wake me up when the FBI catches someone who actually knows what they're doing. Jesus Christ.
What I do, as I have my own domain, is to use a specific email per vendor
This should be a standard feature of every e-mail reader and web-based e-mail service regardless if the e-mail holder has their own domain. Even though I control my own infrastructure it is just a bit too much work for me so I don't do this for most accounts, but the advantage is obvious.
There used to be a quasi-standard where you could have an e-mail address john.doe+ebay@anydomain.com and mail agents would route by ignoring the + to the @ sign, but too many agents don't support it.
And Australia cooperate with the US (after filling in some forms and such) so they should still be able to follow the money by calling the Aussies.
Maybe if they paid their accountants more, or hired more of them so they weren't overwhelmed, less companies would be losing money to criminals.
Admittedly, seven proxies is hard to beat!
They probably use these simple techniques first, and then move on to more advanced stuff when the simple stuff doesn't work out.
You don't want to risk revealing your high-tech techniques by using them everywhere.