The FBI Created a Fake FedEx Website To Unmask a Cybercriminal

In an attempt to catch two cybercriminals, the FBI set up a fake FedEx website and created rigged Word documents, "both of which were designed to reveal the IP address of the fraudsters," reports Motherboard. From the report: The first case centers around Gorbel, a cranes and ergonomic lifting manufacturing company headquartered in Fishers, New York, according to court records. Here, the cybercriminals used a long, potentially confusing and official looking email address to pose as the company's CEO Brian Reh, and emailed the accounts team asking for payment for a new vendor. The fraudsters provided a W9 form of a particular company, and the finance department mailed a check for over $82,000. Gorbel noticed the fraudulent transaction, and brought in the FBI in July. Shortly after, Gorbel received other emails pretending to be Reh, asking for another transfer. This time, the finance department and FBI were ready. The FBI created a fake FedEx website and sent that to the target, in the hope it would capture the hacker's IP address, according to court records. The FBI even concocted a fake "Access Denied, This website does not allow proxy connections" page in order to entice the cybercriminal to connect from an identifiable address.

That FedEx unmasking attempt was not successful, it seems -- the cybercriminal checked the link from six different IP addresses, some including proxies -- and the FBI moved on to use a network investigative technique, or NIT, instead. NIT is an umbrella term the FBI uses for a variety of hacking approaches. The FBI attempted to locate the cybercriminals with a Word document containing an image that would connect to the FBI server and reveal the target's IP address, according to court records. The image was a screenshot of a FedEx tracking portal for a sent payment, the court records add. Motherboard also details the second case that occurred in August 2017, where a business in the Western District of New York received an email claiming to be from Invermar, a Chilean seafood vendor and one of the company's suppliers, according to court records: This email, posing as a known employee of Invermar, asked the victim to send funds to a new bank account. Whereas the legitimate Invermar domain ends with a .cl suffix, the hackers used one ending in .us. The business the hackers targeted apparently didn't notice the different suffix, and over the course of September and October wire transferred around $1.2 million to the cybercriminals, with the victim eventually able to recover $300,000 (the court documents don't specify how exactly, although a charge back seems likely). To determine where this criminal was located, the FBI also decided to deploy a NIT.

"The FBI will provide an email attachment to the victim which will be used to pose as a form to be filled out by the TARGET USER for future payment from the VICTIM," one court record reads. The NIT required the target to exit "protected mode," a setting in Microsoft Word that stops documents from connecting to the internet. The warrant application says the government does not believe it needs a warrant to send a target an embedded image, but out of an abundance of caution, added to the fact that the target will need to deliberately exit protected mode, the FBI applied for one anyway. Both NITs were designed to only obtain a target's IP address and User Agent String, according to the warrant applications. A User Agent String can reveal what operating system a target is using. Although signed by two different FBI Special Agents, both of the NIT warrant applications come out of the Cyber Squad, Buffalo Division, in Rochester, New York.

So the FBI can only catch idiots with poor OPSEC?

And the only way they can identify someone is to try to trick them into identifying themselves?

As much as I think the FBI is of questionable competence, I can't help but feel that there are other options to unmask someone committing crimes like these, and that this disclosure of techniques is designed to create a false sense of security. They want you to underestimate them, so that one of the techniques that they don't publicly blab about gets you.

Re: So the FBI can only catch idiots with poor OPS

Seems like they could just follow the money... How did these companies pay that the FBI can't go to the receiving bamk and figure out who they are ??

Re:So the FBI can only catch idiots with poor OPSE

[AHuxley]

A home computer to modem to a consumer ISP has the one IP. MAC too :)

This website does not allow proxy connections?

[h33t+l4x0r]

That is some weak sauce right there, FBI.

Re:This website does not allow proxy connections?

[AlanObject]

That is some weak sauce right there, FBI.

What seems weak to me are the procedures used in the accounting departments of the companies that get scammed. These tricks being used should not work in the first place. Seriously, is nobody paying attention?

Re:This website does not allow proxy connections?

[Gravis+Zero]

That is some weak sauce right there, FBI.

It's not stupid if it works. Social engineering is simply hacking a human instead of hacking computer program.

Re:This website does not allow proxy connections?

[Solandri]

What seems weak to me are the procedures used in the accounting departments of the companies that get scammed. These tricks being used should not work in the first place. Seriously, is nobody paying attention?

You seem to think these social engineering attempts are once in a blue moon things. When I was doing the accounting at a business, I got several of these every week. Some of them even came via snail mail (made up to look like a recurring monthly bill). Even if you're careful enough to catch 99.9% of these, once every few years one of them manages to get through. Hopefully it's just a $100 subscription scam, not a multi-million dollar scam like in TFA.

For example, a friend got hit by ransomware on her work machine. She's not stupid, and she's very security conscientious (the moment she realized what was happening she knew she had to prevent other machines from being infected, so she immediately yanked her ethernet cable out of the wall - pulled the wires right out of the plug). How she got tricked was she gets monthly reports in Excel format emailed to her from each of the salesmen. That month, Frank's report happened to be late, so she sent him a reminder earlier in the day to send it. Just by pure chance, the ransomware sent her an email, with Frank as the spoofed sender, titled "Here's the monthly report you requested" and an attached Excel file. So of course she opened the attachment.

Another example. I bought something on eBay, and got the standard emails from eBay saying I'd won the bid on such and such item. About 30 minutes later I got an email saying there was a problem with my eBay order, and to please login for details and to resolve it. I clicked on the link, logged in, then realized what I'd just done. I immediately logged out, got on another computer, logged into my eBay account, and changed the password. Then I went back to that email, and sure enough although the email looked like a genuine notice from eBay, the included link went to some sort of phishing site made to look like eBay.

These phishing and social engineering attempts are not that sophisticated. They're just spammed to millions of people. Because if you send it to that many people, 99.9999% of them will immediately see that it's fake and wonder how anyone could be stupid enough to fall for it. But just by chance alone, it's going to look exactly like an email one of those persons is expecting, and they're going to click it thinking it's legit.

Re:This website does not allow proxy connections?

[rtb61]

I don't understand why they did not just put a tracker in the envelope with the cheque. How about a, call the police cheque, you know FBI, chat with the banks, do some fancy cheque number fiddles and when certain number cheques turn up to be cashed, call the police and FBI (the number sequence can be quite complex, computers can handle the alert). How about a little less, doughnut arse cyber sleuthing and a little more get off your ass policing.

Re: This website does not allow proxy connections?

[Nidi62]

Get a bill from a regular supplier with a different payment location? Call them with the phone number you have on file (not the one in the email), to confirm the new details. Will stop that phishing right there.

Re:This website does not allow proxy connections?

[pnutjam]

up thread someone indicated they did track the check, but it was going to an ignorant mule.

Re: This website does not allow proxy connections?

[rickb928]

I work for a financial company. a big one, and some of our clients complain bitterly about how difficult it is to change things like bank information.

They ought to get a copy of this article. We have reasons why we make it not difficult, but accurate.

Re:This website does not allow proxy connections?

[houghi]

What I do, as I have my own domain, is to use a specific email per vendor. I would use e.g. ebay.com@example.net
That way I will know that an email is actually from them. I will also know if they have sold my email or if they have been compromised.

In the case of ebay, they give the email to the vendors, so I started getting spam from them. That email account is now gone as well as my willingness to do business with them in any for or way.

I have cought some pretty nice scamming attempts that way. Just knowing it was not send to the right adress makes sure it is filtered out. So I sort on "to" more than on "from".

And again: Ebay have been the sole offenders after a few years,

Bad link

[azcoyote]

Um, first link seems to be wrong?

Re:Bad link

[93+Escort+Wagon]

Um, first link seems to be wrong?

Careful! Now they're trying to locate YOU!

Re:So the FBI can only catch idiots with poor OPSE

[gweihir]

The MAC does not help you a lot though. Also, it can be changed easily in many circumstances. I demonstrated this a while a while ago for a customer by putting a socketed flash chip on a network card. More visually impressive than the alternatives and I had a slow weekend. But in many cards you can just change the MAC purely in software.

They only have to screw up once

[raymorris]

The thing about opsec is you only have to screw up once. They tried getting the bad guy to connect without using a proxy, uaing the error message. The bad guy maintained opsec and didn't fall for it. So then they tried the next thing. If the bad guy didn't fall for that, the FBI would go to the next approach.

Re:They only have to screw up once

[AHuxley]

Re "next approach". They keep the powerful tools off the net as much as possible.
Cant have consumer AV discovering and reporting back on gov pushed software in the wild.

Re:They only have to screw up once

[Lonewolf666]

Arguably the bad guy continuing at all after the fake proxy request was bad OPSEC by itself. Detecting a trap should tell you that there is probably some police agency out to catch you.

Re:They only have to screw up once

[rickb928]

Oh, you just send agents to the vendor explaining what it was, and they find a way to avoid interfering with 'legitimate' law enforcement.

Because, simply, someday they will call for help also.

Re:They only have to screw up once

[rickb928]

"there is probably some police agency out to catch you."

There is ALWAYS some police agency out to catch you. In this sort of crime, they are usually unable to actually catch you. You rush off the failed attempts and keep on.

This is excellent, however, if these articles discourage all but the very best to try.

Re:They only have to screw up once

[AHuxley]

Go full Magic Lantern software https://en.wikipedia.org/wiki/...

Re: So the FBI can only catch idiots with poor OPS

I haven't seen a nic with an unchangeable MAC since the 90s.

Re: So the FBI can only catch idiots with poor OPS

They did. Checks were going to some woman in Kentucky who would take them to a bank the criminal had accounts with and wired the money to Australia. The stupid woman didn't know his real name and believed the guy was in the military stationed in Afghanistan.

Re:So the FBI can only catch idiots with poor OPSE

[AHuxley]

The US gov likes the MAC.
OAKSTAR https://theintercept.com/2018/...
"... known as a MAC address, a March 29, 2013 NSA memo"

Re: So the FBI can only catch idiots with poor OPS

[javaman235]

We all do, which begs the question, if this worked, why is it being posted here? Why do we need operational details on a sting against financial scammers?

Re:So the FBI can only catch idiots with poor OPSE

[gl4ss]

well.. that and.. well.. pretty sure you would need a warrant to commit copyright, trademark etc fraud.

Great!

[nnull]

Although I admire the FBI's attempt to try to catch these guys as I've been hit by these fraudsters trying to pose as me or my accountants, emailing customers with invoices that look legitimate as mine and my people internally. But the FBI's technique was rather weak and exposes a huge weakness in a lot of corporate environments. A lot of these places have no way to check the legitimacy and will pay right away. This is a bigger problem than people realize.

Re:Great!

[John+Jorsett]

Think about it. If you were the FBI would you announce your best investigative techniques to the world? These are likely obsolete methods or even ones that they've considered but never used because they have better ones.

Question

[kqc7011]

Did Gorbel ever think of picking up a phone, calling a known person at the other company asking if and where should the money be sent?

Re:So the FBI can only catch idiots with poor OPSE

[rickb928]

Don't read much real news, do you? The FBI is righteous in this example, but not so much in others.

Nonetheless, perfect is the enemy of good.

Summary?

[rickb928]

The summary link claiming to be about the article, " FBI set up a fake FedEx website and created rigged Word document", goes somewhere entirely unrelated.

When did that happen?

Wrong Article link.

[AdamD1]

The actual link to the motherboard story is this one:

https://motherboard.vice.com/e...

This post links to a totally different article.

Route by to not from

[AlanObject]

What I do, as I have my own domain, is to use a specific email per vendor

This should be a standard feature of every e-mail reader and web-based e-mail service regardless if the e-mail holder has their own domain. Even though I control my own infrastructure it is just a bit too much work for me so I don't do this for most accounts, but the advantage is obvious.

There used to be a quasi-standard where you could have an e-mail address john.doe+ebay@anydomain.com and mail agents would route by ignoring the + to the @ sign, but too many agents don't support it.

Pay accountants more?

[omfglearntoplay]

Maybe if they paid their accountants more, or hired more of them so they weren't overwhelmed, less companies would be losing money to criminals.