In an investigation into a Irondequoit, New York cop accused of stalking and harassing an ex-girlfriend, the FBI used techniques it often sees deployed by cybercriminals it investigates. It sent emails to the suspect containing Microsoft Word and Excel documents that, once clicked, would help them unmask the identity of the officer, William Rosica.
A warrant detailing the hacking methods – known amongst law enforcement as Network Investigative Techniques – provided rare insight into the FBI’s digital techniques. While previous reporting of Rosica’s case has focused on the disturbing nature of the alleged crimes of the now-former policeman, it ignored the technical and ethical questions around such methods. In this case, though, security experts and privacy activists agree: the use of targeted phishing with the right warrants showed law enforcement could hack responsibly.
The FBI sent the phishing emails after agents learned of allegations that Rosica had used multiple email accounts and phone numbers to harass an unnamed former partner. Amongst the stronger allegations were that he attempted to hack into her medical records held by the University of Rochester’s MyChart, as well as her personal and work emails. His communications became increasingly aggressive, according to prosecutors, who claimed Rosica sent the ex-girlfriend messages about how to commit suicide.
Throughout, the ex-cop used the Tor network to mask his original IP address, whilst setting up a range of email addresses to further hide his identity, the government alleged. And he used the Text’em service, which allows users to send free texts without needing a phone number, prosecutors said.
With all the attempts at dissimulation, the government opted for tools in its digital arsenal to find out who was behind the emails. On January 31st, the FBI was granted a warrant to send phishing mails to email addresses hosted by hotdak.net, Yandex and mail2actor.com.
In one email, a Microsoft Word document would include an embedded image. When opened the document would ask the target to exit “protected view,” and once done the image would be retrieved from an FBI server. The IP address of the target PC or phone would then be sent back to the feds.
In another phish, the FBI included a link hidden inside an email purporting to be a professional profile webpage of the sender. If the link was clicked from a computer using an IP address not associated with Rosica’s home internet, the page would return an error, noting that it could not be accessed via the Tor network. The feds believed that Rosica would visit the page via Tor and when he couldn’t, he’d use a non-private connection, according to the warrant.
Finally, the FBI was also permitted to use a Microsoft Excel document that, when opened, required the user to agree to enable editing and content. That would run little programs known as macros, which are typically embedded in Microsoft Office files, allowing users to script a file to perform business-specific actions. In this case, the macros would then send identifying information back to the FBI.
On February 2nd, the FBI deployed the Microsoft Word hack via the email of the victim’s operations manager, who’d already received contact from one of the suspect addresses. Copying in the other two email accounts, the message included a cease and desist order inside the Word document that would reveal the target’s real IP address. According to the warrant, it worked: the IP matched that obtained from a subpoena to Time Warner Cable for Rosica’s information, which was the same as that grabbed by the FBI pen register trap and trace monitoring of the suspect’s home internet use. (Investigators also acquired search warrants to obtain data from Google for one of Rosica’s suspected email accounts and has received information from Text’em).
Two weeks later, on February 16th, FBI agents sent out separate emails containing the Excel file and the link to the professional profile. The latter was successful, according to the government: first, the link was accessed from a known node in the Tor network, but 30 seconds later it was visited by an address associated with Rosica’s home internet.
No zero-days required
Rather than require any expensive digital weapons – most notably zero-day exploits, where unpatched software vulnerabilities are abused to install malware on a target system – the FBI used straightforward social engineering, noted Matthew Tait, a former GCHQ security specialist and now senior fellow at the Robert Strauss Center for International Security and Law at the University of Texas at Austin.
“Of course, had all of these techniques failed, it’s possible that the FBI would have moved on to attempting to hack the target’s computer via zero-days,” Tait said. “But it doesn’t look like they did so in this case, most likely because these simpler social engineering techniques were successful and they didn’t need to use more advanced techniques to catch him.”
In previous cases, the FBI has deployed NITs to grab the identifying information of suspected child pornography users. In one of the more controversial cases, the feds took control of a Tor-based child pornography website Playpen, serving up an exploit to each to retrieve IP addresses of visitors.
Privacy activists raised concerns about the widespread application of such aggressive tactics with just one warrant, but as for the targeted phishing techniques used in the Rosica investigation, it appeared acceptable.
“Government intrusions do raise some 4th amendment legal search concerns. For something like this, we’d want them to have a warrant,” said Cooper Quintin, security researcher and programmer at the Electronic Frontier Foundation.
“This shows a way that police can obtain digital information without using zero-days. It further highlights there’s not much of a reason for governments to hoard computer exploits… Even dead simple social engineering works.”
Rosica was arrested in March. Last week, his lawyers asked the detention order be revoked and he be released pending a trial. His legal representation declined to comment for this article, as did the Department of Justice.