Wednesday, 7 January 2004
FBI uses web bug to track extortionist?
Abandoning the incentives not to report cybercrime (see my last blog entry), Best Buy called in the FBI when it received emails threatening to expose security weaknesses in its e-commerce site unless the retail giant forked over $2.5 million. The Bureau worked with Best Buy to snare Thomas E. Ray III, of Mississippi, the would-be scammer. The most interesting feature of this case is in the tools used by the FBI to catch the alleged blackmailer. The Bureau responded to Ray's messages with its own emails laced with something that allowed it to trace the IP address from which he read them.
Unfortunately, the early press reports are unclear as to exactly what that something was. The St. Paul Pioneer Press reports that the investigation "was aided by a computer-tracing technique." The FBI got "permission from the courts to use a specialized e-mail device — called the Internet Protocol Address Verifier — to track down the author." I have no idea what an "Internet Protocol Address Verifier" is, but it sounds an awful lot like a web bug.
Web bugs are tiny pictures embedded in email messages using HTML. When an HTML-enabled mail client opens the message, it renders the HTML — including any image tags. The sender can embed an image tag that will query his own web server for an image file, then examine his server logs to determine from what IP address the query came. For example, I could send an email with HTML tags pointing to images stored on www.danfingerman.com, then record the IP addresses of all requests for that image. After I collect the IP addresses and dates & times the image was accessed, I could take a page from RIAA's playbook and find a way to intimidate ISPs into telling me which individuals were using each IP address at the relevant date and time. Then I would know who read my email, the exact date and time, and I could get more information with some extra effort — like the reader's home address and phone number or the geographic location where he read the message.
Web bugs got the name bug after spammers started using them to verify email addresses. Recording calls to an image stored in a static location on a web server is not very helpful when you send email to millions of addresses and have no good way to link each IP address & time/date combination to a particular email address. (Believe it or not, the DMCA does have limits.) Spammers began to design web server software with dynamic links to a single image measuring 1x1 pixel. The images are tiny so that most people will not notice them (how often do you really view the source code of your email?) and to make them load quickly — before most people could hit the delete key. The relevant HTML tag written into each individual email would include a directory path that included the address to which that message was sent. Then, the web server's log would record the image request with the email address (as a simple text string) as part of the directory path to the image. This made it obvious which email addresses the queries were coming from. "Verified" email addresses are like gold for spammers, and they would use this information to charge higher prices for their services — because they could now guarantee that a higher percentage of their emails were being delivered to addresses where an actual person would see them.
The Pioneer Press article makes the FBI's Internet Protocol Address Verifier sound a bit like a web bug, but it is ambiguous. For example, it calls the verifier "a specialized e-mail device." Furthermore, the St. Paul Star Tribune had this to say ("Feds thwart extortion plot against Best Buy"):
The federal search warrant was obtained the morning of Oct. 24  and allowed the FBI, with Best Buy's cooperation, to use an Internet device known as an Internet Protocol Address Verifier. It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address. The response allowed investigators to identify Ray as the sender of the e-mail threats, according to the government.
Did you see that? The Star Tribune called the verifier "a program." A web bug could never be confused with a "program." The source of my confusion should now be obvious.
If anyone knows what the heck an Internet Protocol Address Verifier really is, please let me know.