FBI used spyware to capture hackers, hitmen

The FBI has used a secret form of spyware in a series of investigations designed to apprehend extortionists, database-deleting hackers, child molesters and hitmen, according to documents obtained by ZDNet UK's sister site, CNET News.com.

One suspect used Microsoft's Hotmail to send bomb and anthrax threats to an undercover government investigator; another demanded a payment of $10,000 (£6,800) a month to stop cutting cables; a third was an alleged European hitman who was soliciting for business from a Hushmail.com account.

CNET News.com obtained the documents — totalling hundreds of pages, although nearly all of them were heavily redacted — this week through a Freedom of Information Act (FOIA) request to the FBI.

The FBI spyware, called Cipav (Computer and Internet Protocol Address Verifier), came to light in July 2007 through court documents that showed how the bureau used it in the case of a teenager who was emailing bomb threats to a high school near Olympia, Washington.

A June 2007 memo says the FBI's Deployment Operations Personnel were instructed to "deploy a Cipav to geophysically locate the subject issuing bomb threats to the Timberline High School, Lacy, Washington. The Cipav will be deployed via a Uniform Resource Locator (URL) address posted to the subject's private chatroom on MySpace.com".

An affidavit written by FBI special agent Norman Sanders at the time said Cipav is able to send "network-level messages" containing the target computer's IP address, Ethernet MAC address, environment variables, the last-visited website, and other registry information including the name of the registered owner of the computer and the operating system's serial number.

The FOIA documents indicate that the FBI turns to Cipav when a suspect is communicating with police or a crime victim through email and is using an anonymising service to conceal his computer's internet protocol address. If an anonymising service had not been used, then a subpoena to the email provider would normally be sufficient.

Cipav lets the FBI trick a suspect's computer into identifying itself to police, much as an exploding dye packet might identify a bank robber.

One document from March 2007 indicates that the FBI originally used a simple technique known as a 'web bug' to track suspect computers. Written by the Justice Department's Computer Crime and Intellectual Property Section, the document says "some investigators have begun to use an investigative technique referred to as an 'Internet Protocol Address Verifier' (IPAV), aka a 'web bug'".

Then the bureau appears to have shifted to actual software, once known as Magic Lantern (possibly a Trojan Horse) and then to Cipav.

One example of Cipav's use came in a March 2006 request to the FBI's Cryptologic and Electronic Analysis Unit. It said a victim's Hotmail account is controlled by a suspect who "is extorting the victim because the account had personal info in it. Subject wants victim to set up an e-gold.com account and transfer $10,000 there and then email the userid/pwd to the subject".

Another was an August 2005 request saying a hacker deleted a company's database and "is extorting the victim company for payment to restore it".

If Cipav could be detected before being installed by antivirus software, a criminal suspect may be able to avoid having his internet address divulged to the police. A 2007 CNET News.com survey of the major antispyware vendors found that that not one company acknowledged co-operating unofficially with government agencies.