ALLURE SECURITY BLOG

How the FBI Used A “Booby-Trapped” Document to Foil an Attacker

A recent story in Vice’s Motherboard section detailed how a cybercriminal, who had been using fake documents to swindle a company out of large sums of money, was pursued by the FBI. The cybercriminal had posed as the company’s CEO via email, sending a convincing request to the corporate accounts team asking for payment for a new vendor. According to Vice, “the fraudsters provided a W9 form of a particular company, and the finance department mailed a check for over $82,000.”

The FBI used some deception technology of its own to investigate the swindler. The law enforcement agency, understanding that they were dealing with a hacker who was well-versed in spoofing and other trickery, first “created a fake FedEx website and sent that to the target, in the hope it would capture the hacker’s IP address, according to court records. The FBI even concocted a fake ‘Access Denied, This website does not allow proxy connections’ page in order to entice the cybercriminal to connect from an identifiable address.”

When the phony FedEx site did not fool the attacker, the FBI then sent a “booby-trapped” document containing an image that would force the suspect to connect to an FBI server, thus identifying the target’s IP address. The image was a screenshot of a FedEx tracking portal that resembled a receipt for sent payment.

This FBI case is reminiscent of a similar scenario in which the CISO of a large telecom company called in the Allure Security incident response and forensics team to help foil a ransomware attack and identify the criminal behind it. But it also highlights a growing problem: the use of CEO spoofing as a new form of social engineering to engage in corporate theft. Cybercriminals are not only getting more daring and confident, but their attack methods are becoming more sophisticated. The response from the security community--whether from the public or private sector--must meet that level of sophistication if defenders stand any chance of stopping data and financial loss.

As the FBI case shows, documents containing tracking technology were more effective than the attempt at phishing the attacker. The documents were highly convincing, raised no suspicions with the adversary, and were more successful at locating the IP address. Businesses now have the opportunity to adopt the same approach to data loss detection and response as government agencies.

Posted by Salvatore Stolfo on Dec 20, 2018 10:43:43 AM
Salvatore Stolfo

Salvatore Stolfo

Salvatore Stolfo is a tenured Columbia University professor, teaching computer science since 1979. He is the co-founder and CTO of Allure Security. Dr. Stolfo has been granted over 47 patents and has published over 230 papers and books in the areas of parallel computing, AI knowledge-based systems, data mining, computer security and intrusion detection systems. His research has been supported by numerous government agencies, including DARPA, NSF, ONR, NSA, CIA, IARPA, AFOSR, ARO, NIST, and DHS.

Topics: document tracking, track documents, decoy documents, deception, detection and response, deception security

Related posts