FBI spyware used to nab hackers, extortionists

Documents obtained in a Freedom of Information Act request by CNET News show the FBI has used a secret form of spyware to get the goods on suspects.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
3 min read

The FBI has used a secret form of spyware in a series of investigations designed to nab extortionists, database-deleting hackers, child molesters, and hitmen, according to documents obtained by CNET News.

One suspect used Microsoft's Hotmail to send bomb and anthrax threats to an undercover government investigator; another demanded a payment of $10,000 a month to stop cutting cables; a third was an alleged European hitman who was soliciting for business from a Hushmail.com account.

CNET News obtained the documents -- totaling hundreds of pages, although nearly all of them were heavily redacted -- this week through a Freedom of Information Act request to the FBI.

The FBI spyware, called CIPAV, came to light in July 2007 through court documents that showed how the bureau used it to nab a teenager who was e-mailing bomb threats to a high school near Olympia, Wash. (CIPAV stands for Computer and Internet Protocol Address Verifier.)

A June 2007 memo says that the FBI's Deployment Operations Personnel were instructed to "deploy a CIPAV to geophysically locate the subject issuing bomb threats to the Timberline High School, Lacy, Washington. The CIPAV will be deployed via a Uniform Resource Locator (URL) address posted to the subject's private chat room on MySpace.com."

An affidavit written by FBI Special Agent Norman Sanders at the time said that CIPAV is able to send "network-level messages" containing the target computer's IP address, Ethernet MAC address, environment variables, the last-visited Web site, and other registry-type information including the name of the registered owner of the computer and the operating system's serial number.

The FOIA documents indicate that the FBI turns to CIPAV when a suspect is communicating with police or a crime victim through e-mail and is using an anonymizing service to conceal his computer's Internet protocol address. If an anonymizing service had not been used, then a subpoena to the e-mail provider would normally be sufficient.

CIPAV lets the FBI trick a suspect's computer into identifying itself to police, much as an exploding dye packet might identify a bank robber.

One document from March 2007 indicates that the FBI originally used a simple technique known as a "Web bug." Written by the Justice Department's Computer Crime and Intellectual Property Section, it says "some investigators have begun to use an investigative technique referred to as an 'Internet Protocol Address Verifier' (IPAV), a/k/a a 'Web bug.'"

Then the bureau appears to have shifted to actual software, once known as Magic Lantern (possibly a Trojan Horse) and then CIPAV.

One example of CIPAV's use came in a March 2006 request to the FBI's Cryptologic and Electronic Analysis Unit. It said a victim's Hotmail account is controlled by a suspect who "is extorting the victim because the account had personal info in it. Subject wants victim to set up an e-gold.com account and transfer $10,000 there and then email the userid/pwd to the subject."

Another was an August 2005 request saying a hacker deleted a company's database and "is extorting the victim company for payment to restore it."

If CIPAV could be detected before being installed by antivirus software, a criminal suspect may be able to avoid having his Internet address divulged to the police. A 2007 CNET News survey of the major antispyware vendors found that that not one company acknowledged cooperating unofficially with government agencies.