Seven years ago, the FBI used a kind of spyware known as a CIPAV to track down and arrest a 15-year-old hacker who was sending bomb threats to a high school near Olympia. Old news for privacy watchdogs. But today, ACLU analyst Christopher Soghoian trawled through an arcane set of the bureau's records and came across something startling: in order to get the suspect's computer infected with the spyware, the documents suggest the FBI sent a message to him that masqueraded as an e-mail from The Seattle Times.
"Here is the email link in the style of the Seattle Times," wrote one FBI agent, whose name is redacted. "Below is the news article we would like to send containing the CIPAV," wrote another. The e-mail includes a message, headline, link, and subscription information all purporting to represent an Associated Press article carried online by The Seattle Times. According to WIRED editor Kevin Poulsen, the message acted as a phishing attack and was sent to the young man's MySpace account, "luring him to read an article about himself at a custom url."
The HTML behind the link would presumably redirect the viewer to an FBI server, which would infect the computer with spyware (CIPAV stands for Computer & Internet Protocol Address Verifier) allowing the government to track the computer's "IP address, MAC address, list of running programs, operating system, Internet browser used, language used, the registered computer name, the currently logged-in username, and more," according to Ars Technica.
"I remember reading about it at the time and wondering, 'How do they get people to click on their stupid links?'" says Soghoian, the ACLU's Principal Technologist.
The suspect, identified only as Josh in court records because he was a juvenile, was arrested following the apparently successful use of the CIPAV. But, Soghoian says, "The ends don't justify the means. I'm not saying that the FBI shouldn't be investigating people who threaten to bomb schools. But impersonating the media is a really dangerous line to cross."