Margaret,
Can we set up a payment to a new vendor today? Thanks, Brian
Margaret Belt, the member of Gorbel’s finance team who had received the email, replied saying that she could assist but needed more information. The fake CEO responded:
Margaret,
See attached W9 and invoice for vendor details, Please have check made out to HOLDINGS for $82,570.00 and have it sent by overnight mail. Payment is for professional service, Charge this to Admin Dept and email me with tracking# once check is mailed out.
Thanks, Brian
Believing nothing was amiss, a cashier’s check was duly issued and cashed out.
The following month the company’s CFO identified that a fraudulent transaction had taken place and informed the FBI, who examined the email correspondence.
Just days later, Margaret Belt received another email posing as the company CEO, this time asking for US $138,580 to be paid to a new vendor.
By now, of course, Margaret knew that she was dealing with a scammer – and kept the fraudster waiting for days claiming that the printer used to produce the checks was broken, and that a new part had been ordered.
The fraudster was understandably feeling frustrated:
Margaret,
Do you have an update regarding payment? I believe the printer should be fixed by now. Please advise.
Brian.
The truth was, of course, that the printer wasn’t broken. But behind the scenes the FBI had bought the domain name www.fedextrackingportal.com, and created a website designed to capture visiting computers’ IP addresses, and other basic information about the browser being used to access it.
Margaret duly responded to the fake CEO, saying that the payment had been made and providing what appeared to be a FedEx tracking link.
Sneakily, the fake FedEx website built by the FBI displayed a message designed to discourage any visitor from covering their tracks:
“Access Denied, This website does not allow proxy connections”
What was clever about that is that it didn’t need to actually detect the usage of a VPN or proxy, it just needed to make whoever was visiting that they really should disable any such cloaking if they wanted to visit the webpage.
The fake FedEx tracking link created by the FBI was visited by six unique IP addresses within a 24 hour period, resolving to multiple countries and domestic areas and ISPs, with one resolving to a known VPN service.
The FBI’s conclusion was that sadly the fraudster had not been duped into revealing their computer’s true IP address and that they were only likely to open links and emails after accessing a proxy or VPN service.
The FBI was going to need a different technique to catch their fraudster.
The answer was to create a Word document containing a embedded image hosted on a server under the FBI’s control. Anyone trying to view the image in the Word document would be revealing their originating IP address and browser user string to the server’s logs as the document ‘phoned home.’
The technique would only work if the target turned off “protected mode”, a Microsoft Word setting that prevents documents from accessing the internet – and even then they would still need to have disabled any VPN they might be using to mask themselves online.
Unfortunately we don’t know if this attempt to identify the fraudster worked, but what is clear is that law enforcement are prepared to use techniques normally adopted by scammers to identify online criminals.
What also isn’t clear is quite what the FedEx feels about its brand being used to create yet more fake websites.
Brands that often find themselves at the centre of phishing scams often try to keep a close eye on fraudulent domains that pop up using variations of their name, in the hope of shutting them down before they do too much damage.
I wonder how complicated things might get when it’s the FBI rather than the fraudsters making the fake FedEx website.
______________________________