Slashdot Mirror
The FBI Created a Fake FedEx Website To Unmask a Cybercriminal (9to5mac.com)
In an attempt to catch two cybercriminals, the FBI set up a fake FedEx website and created rigged Word documents, "both of which were designed to reveal the IP address of the fraudsters," reports Motherboard. From the report: The first case centers around Gorbel, a cranes and ergonomic lifting manufacturing company headquartered in Fishers, New York, according to court records. Here, the cybercriminals used a long, potentially confusing and official looking email address to pose as the company's CEO Brian Reh, and emailed the accounts team asking for payment for a new vendor. The fraudsters provided a W9 form of a particular company, and the finance department mailed a check for over $82,000. Gorbel noticed the fraudulent transaction, and brought in the FBI in July. Shortly after, Gorbel received other emails pretending to be Reh, asking for another transfer. This time, the finance department and FBI were ready. The FBI created a fake FedEx website and sent that to the target, in the hope it would capture the hacker's IP address, according to court records. The FBI even concocted a fake "Access Denied, This website does not allow proxy connections" page in order to entice the cybercriminal to connect from an identifiable address.
That FedEx unmasking attempt was not successful, it seems -- the cybercriminal checked the link from six different IP addresses, some including proxies -- and the FBI moved on to use a network investigative technique, or NIT, instead. NIT is an umbrella term the FBI uses for a variety of hacking approaches. The FBI attempted to locate the cybercriminals with a Word document containing an image that would connect to the FBI server and reveal the target's IP address, according to court records. The image was a screenshot of a FedEx tracking portal for a sent payment, the court records add. Motherboard also details the second case that occurred in August 2017, where a business in the Western District of New York received an email claiming to be from Invermar, a Chilean seafood vendor and one of the company's suppliers, according to court records: This email, posing as a known employee of Invermar, asked the victim to send funds to a new bank account. Whereas the legitimate Invermar domain ends with a .cl suffix, the hackers used one ending in .us. The business the hackers targeted apparently didn't notice the different suffix, and over the course of September and October wire transferred around $1.2 million to the cybercriminals, with the victim eventually able to recover $300,000 (the court documents don't specify how exactly, although a charge back seems likely). To determine where this criminal was located, the FBI also decided to deploy a NIT.
"The FBI will provide an email attachment to the victim which will be used to pose as a form to be filled out by the TARGET USER for future payment from the VICTIM," one court record reads. The NIT required the target to exit "protected mode," a setting in Microsoft Word that stops documents from connecting to the internet. The warrant application says the government does not believe it needs a warrant to send a target an embedded image, but out of an abundance of caution, added to the fact that the target will need to deliberately exit protected mode, the FBI applied for one anyway. Both NITs were designed to only obtain a target's IP address and User Agent String, according to the warrant applications. A User Agent String can reveal what operating system a target is using. Although signed by two different FBI Special Agents, both of the NIT warrant applications come out of the Cyber Squad, Buffalo Division, in Rochester, New York.
That FedEx unmasking attempt was not successful, it seems -- the cybercriminal checked the link from six different IP addresses, some including proxies -- and the FBI moved on to use a network investigative technique, or NIT, instead. NIT is an umbrella term the FBI uses for a variety of hacking approaches. The FBI attempted to locate the cybercriminals with a Word document containing an image that would connect to the FBI server and reveal the target's IP address, according to court records. The image was a screenshot of a FedEx tracking portal for a sent payment, the court records add. Motherboard also details the second case that occurred in August 2017, where a business in the Western District of New York received an email claiming to be from Invermar, a Chilean seafood vendor and one of the company's suppliers, according to court records: This email, posing as a known employee of Invermar, asked the victim to send funds to a new bank account. Whereas the legitimate Invermar domain ends with a .cl suffix, the hackers used one ending in .us. The business the hackers targeted apparently didn't notice the different suffix, and over the course of September and October wire transferred around $1.2 million to the cybercriminals, with the victim eventually able to recover $300,000 (the court documents don't specify how exactly, although a charge back seems likely). To determine where this criminal was located, the FBI also decided to deploy a NIT.
"The FBI will provide an email attachment to the victim which will be used to pose as a form to be filled out by the TARGET USER for future payment from the VICTIM," one court record reads. The NIT required the target to exit "protected mode," a setting in Microsoft Word that stops documents from connecting to the internet. The warrant application says the government does not believe it needs a warrant to send a target an embedded image, but out of an abundance of caution, added to the fact that the target will need to deliberately exit protected mode, the FBI applied for one anyway. Both NITs were designed to only obtain a target's IP address and User Agent String, according to the warrant applications. A User Agent String can reveal what operating system a target is using. Although signed by two different FBI Special Agents, both of the NIT warrant applications come out of the Cyber Squad, Buffalo Division, in Rochester, New York.
And the only way they can identify someone is to try to trick them into identifying themselves?
As much as I think the FBI is of questionable competence, I can't help but feel that there are other options to unmask someone committing crimes like these, and that this disclosure of techniques is designed to create a false sense of security. They want you to underestimate them, so that one of the techniques that they don't publicly blab about gets you.
The thing about opsec is you only have to screw up once. They tried getting the bad guy to connect without using a proxy, uaing the error message. The bad guy maintained opsec and didn't fall for it. So then they tried the next thing. If the bad guy didn't fall for that, the FBI would go to the next approach.
I haven't seen a nic with an unchangeable MAC since the 90s.
They did. Checks were going to some woman in Kentucky who would take them to a bank the criminal had accounts with and wired the money to Australia. The stupid woman didn't know his real name and believed the guy was in the military stationed in Afghanistan.
That is some weak sauce right there, FBI.
What seems weak to me are the procedures used in the accounting departments of the companies that get scammed. These tricks being used should not work in the first place. Seriously, is nobody paying attention?
That is some weak sauce right there, FBI.
It's not stupid if it works. Social engineering is simply hacking a human instead of hacking computer program.
Anons need not reply. Questions end with a question mark.
We all do, which begs the question, if this worked, why is it being posted here? Why do we need operational details on a sting against financial scammers?
-The art of programming is the pursuit of absolute simplicity.
You seem to think these social engineering attempts are once in a blue moon things. When I was doing the accounting at a business, I got several of these every week. Some of them even came via snail mail (made up to look like a recurring monthly bill). Even if you're careful enough to catch 99.9% of these, once every few years one of them manages to get through. Hopefully it's just a $100 subscription scam, not a multi-million dollar scam like in TFA.
For example, a friend got hit by ransomware on her work machine. She's not stupid, and she's very security conscientious (the moment she realized what was happening she knew she had to prevent other machines from being infected, so she immediately yanked her ethernet cable out of the wall - pulled the wires right out of the plug). How she got tricked was she gets monthly reports in Excel format emailed to her from each of the salesmen. That month, Frank's report happened to be late, so she sent him a reminder earlier in the day to send it. Just by pure chance, the ransomware sent her an email, with Frank as the spoofed sender, titled "Here's the monthly report you requested" and an attached Excel file. So of course she opened the attachment.
Another example. I bought something on eBay, and got the standard emails from eBay saying I'd won the bid on such and such item. About 30 minutes later I got an email saying there was a problem with my eBay order, and to please login for details and to resolve it. I clicked on the link, logged in, then realized what I'd just done. I immediately logged out, got on another computer, logged into my eBay account, and changed the password. Then I went back to that email, and sure enough although the email looked like a genuine notice from eBay, the included link went to some sort of phishing site made to look like eBay.
These phishing and social engineering attempts are not that sophisticated. They're just spammed to millions of people. Because if you send it to that many people, 99.9999% of them will immediately see that it's fake and wonder how anyone could be stupid enough to fall for it. But just by chance alone, it's going to look exactly like an email one of those persons is expecting, and they're going to click it thinking it's legit.
Although I admire the FBI's attempt to try to catch these guys as I've been hit by these fraudsters trying to pose as me or my accountants, emailing customers with invoices that look legitimate as mine and my people internally. But the FBI's technique was rather weak and exposes a huge weakness in a lot of corporate environments. A lot of these places have no way to check the legitimacy and will pay right away. This is a bigger problem than people realize.