Future Tense

The FBI Used Malware and a Fake Seattle Times Article Page to Track a Bomb Threat Suspect

Okay, everybody just act casual.

Photo by EMMANUEL DUNAND/AFP/Getty Images

There’s nothing wrong with inventive law enforcement techniques, but it seems like online investigation tactics have gotten a little out of hand. Earlier this month a court filing showed that the Drug Enforcement Administration had created a fake Facebook profile for one of its suspects as a way to catfish others. Facebook was not happy with that. But it seems government abuse of social networks dates all the way back to the sparkly customizable wallpapers of yore: The Electronic Frontier Foundation has published FBI documents that show the bureau once tracked the source of bomb threats on Myspace using a phony—and malware-laced—Seattle Times article page.

In 2007 an anonymous MySpace page started spewing bomb threats at Timberline High School in Washington state. To figure out who was behind them, the FBI apparently created a fake Associated Press article in the style of a Seattle Times piece and messaged the link to the anonymous MySpace account. When the owner of the account clicked the link, it spread malware (this is called a spoofing attack) that could trace the computer’s identifying information like IP and MAC addresses.

This news isn’t completely, well, new. In 2007 Wired reported on the special FBI malware used in this attack, Computer and Internet Protocol Address Verifier (CIPAV). The Electronic Frontier Foundation first obtained documents about the incident in 2011 through a Freedom of Information Act Request. But the full scope of the situation wasn’t clear until Christopher Soghoian, the principal technologist for the American Civil Liberties Union, began tweeting about it Monday.

Paul Colford, the director of AP media relations, told the Seattle Times, which reported on the story this week, “We are extremely concerned and find it unacceptable that the FBI misappropriated the name of The Associated Press and published a false story attributed to AP. … This ploy violated AP’s name and undermined AP’s credibility.”

And Seattle Times editor Kathy Best said, “We are outraged that the FBI, with the apparent assistance of the U.S. Attorney’s Office, misappropriated the name of The Seattle Times to secretly install spyware on the computer of a crime suspect. … Not only does that cross a line, it erases it.”

Biometric authentication is one way that technology companies could make it harder for law enforcement agencies to impersonate people online, but it won’t stop sneaky malware attacks. Soghoian tweeted, “I give it two weeks, tops, before a Member of Congress writes a letter to the FBI demanding answers re: the Seattle Times impersonation.”