For years, phishing scammers have been setting up fake tech support hotlines, websites to plant malicious malware on unsuspecting machines. And, apparently, even the FBI has been getting in on the fun. Because, back in 2007, the FBI created a fake Seattle Times web page, all to catch a high school bomb threat suspect.
The phony article was revealed yesterday by American Civil Liberties Union principal technologist, Christopher Soghoian, on Twitter.
That the FBI impersonated a newspaper’s website to deliver malware to a target is outrageous. Over the top crazy.
— Christopher Soghoian (@csoghoian) October 27, 2014
The counterfeit story, which was about the bomb threat itself in hopes of piquing the teens’ curiosity, even came with a phony Associated Press byline and was written “in the style of The Seattle Times“. This included additional information about subscribing and advertising.
What’s more, what with this being 2007 and all, the link was sent directly to the juvenile suspect’s MySpace account. Once the teen clicked the link, the FBI-brand malware would be planted on his computer, allowing the Agency to ultimately nab the purported perpetrator. Which it did, ultimately identifying and arresting the suspect on June 14.
Unsurprisingly, The Seattle Times is less than pleased with the revelation.
“We are outraged that the FBI, with the apparent assistance of the U.S. Attorney’s Office, misappropriated the name of The Seattle Times to secretly install spyware on the computer of a crime suspect,” said Seattle Times Editor Kathy Best.
“Not only does that cross a line, it erases it,” she said.
“Our reputation and our ability to do our job as a government watchdog are based on trust. Nothing is more fundamental to that trust than our independence — from law enforcement, from government, from corporations and from all other special interests,” Best said. “The FBI’s actions, taken without our knowledge, traded on our reputation and put it at peril.”
The FBI impersonating the press is just as irresponsible as the CIA running fake immunization programs. Completely unacceptable.
— Christopher Soghoian (@csoghoian) October 27, 2014
The Associated Press also had some harsh words for the FBI’s underhanded tactics, telling The Seattle Times:
“We are extremely concerned and find it unacceptable that the FBI misappropriated the name of The Associated Press and published a false story attributed to AP,” Paul Colford, director of AP media relations. “This ploy violated AP’s name and undermined AP’s credibility.”
Of course, the FBI is claiming that it only deploys techniques like this in the rarest of circumstances and “only when there is sufficient reason to believe it could be successful in resolving a threat.” Still, it’s certainly disheartening to see the FBI employing the exact same tactics — and levels of transparency — used to plant malicious and threatening malware, something many of us have likely experience firsthand.
The EFF posted 172 pages it acquired via FOIA detailing the FBI’s use of its phishing tool, which you can read in their entirety below. [The Seattle Times, EFF]