FBI impersonated newspaper to finger school bomb threat suspect

A US newspaper has reacted angrily after it emerged that the FBI impersonated its website in order to locate a target using snoopware.

The Feds set up a fake Seattle Times news story on a counterfeit website in order to entice a bomb-threat suspect to disclose his location back in 2007. Links to the doctored story were sent to the MySpace account of a suspect in a series of bomb threats against local schools.

As soon as the suspect clicked on the link hidden FBI software logged his IP address, allowing the FBI to track down and arrest a juvenile suspect.

The deception was publicised in a series of tweets by Christopher Soghoian, principal technologist for the American Civil Liberties Union. Soghoian told the Seatlle Times that "significant collateral damage to the public trust" resulted from law enforcement co-opting or impersonating media for its ends.

Some in the security community have compared the exercise to DEA officers on a stakeout wearing UPS uniforms or even pen testers setting up a fake website as part of a penetration test exercise. In both these examples the organisation being impersonated has given consent, which is definitely not what occurred in this case.

The attack involved spear phishing targeted at and advertised towards a single suspect. Nothing was done to affect the legitimate Seattle Times website. Nonetheless the paper's bosses are spitting feathers.

"We are outraged that the FBI, with the apparent assistance of the US Attorney’s Office, misappropriated the name of The Seattle Times to secretly install spyware on the computer of a crime suspect," said Seattle Times editor Kathy Best.

"Our reputation and our ability to do our job as a government watchdog are based on trust. Nothing is more fundamental to that trust than our independence — from law enforcement, from government, from corporations and from all other special interests," Best continued. "The FBI’s actions, taken without our knowledge, traded on our reputation and put it at peril."

Frank Montoya Jr, FBI special agent in charge in Seattle, defended tactics used in the investigation which eventually led to the conviction of a 15-year-old student.

"Every effort we made in this investigation had the goal of preventing a tragic event like what happened at Marysville and Seattle Pacific University," Montoya said. "We identified a specific subject of an investigation and used a technique that we deemed would be effective in preventing a possible act of violence in a school setting."

"Use of that type of technique happens in very rare circumstances and only when there is sufficient reason to believe it could be successful in resolving a threat," he added.

The Feds used a law enforcement spyware tool - dubbed Computer and Internet Protocol Address Verifier - in two cases, firstly the Timberline High School bomb threats which involved impersonating the Seattle Times and secondly an extortion attempt against a cruise line in Florida, according to a series of documents obtained by the Electronic Frontier Foundation (PDF).

CIPAV was deployed in the Timberline High School bomb threats case after a search warrant was obtained to target a suspect, who became a target in the investigation after a public tip-off. The warrant omitted to mention that "communication" with the subject would be made through means of a fake news story ostensibly published by The Seattle Times.

This sort of tactic is far from limited to the US. For example, a phishing email that delivered Russian gov malware impersonated a Reason journalist, one of the tactics of the so-called APT28 hacking crew exposed by FireEye on Tuesday. ®