4 min read

FBI infected 15-year-old bomb threat twit with malware, by impersonating newspaper


October 29, 2014

Promo Protect all your devices, without slowing them down.
Free 30-day trial
FBI infected 15-year-old bomb threat twit with malware, by impersonating newspaper

The Seattle Times is furious, after discovering that the FBI stole its identity.



Documents obtained by the Electronic Freedom Foundation (EFF) show that, while attempting to identify who had made a series of high school bomb threats, the FBI created a fake Seattle Times webpage containing a bogus Associated Press news story, with the intention of infecting a suspect’s computer with malware.

What was previously known was that in late May 2007, a series of bomb threats began to arrive at Timberline High School in Washington state. Some of the messages, which appeared to be from a Myspace user called “Timberlinebombinfo”, taunted the authorities that they were “too stupid to trace the email.”

Now that the school is scared from yesturdays fake bomb threat it’s now time to get serious. One in a gym locker, the girls. It’s in a locker hidden under a pile of clothes. The other four I will only say the general location. One in the Language Hall, One in the math hall, One underneath a portable taped with strong ducktape. This bomb will go off if any vibrations are felt. And the last one, Is in a locker. It is enclosed in a soundproof package, and litteraly undetectable. I have used a variety of chemicals to make the bombs. They are all different kinds.

They will all go off at i0:15AM. Through remote detonation. Good Luck. And if that fails, a failsafe of 5 mmutes later.

Oh and for the police officers and technology idiots at the district office trying to track this email and yesturdays “email’s location. I can give you a hint. The email was sent over a newly made gmail account, from overseas in a foreign country. The gmail account was created there, and this email and yesturdays was sent from there. So good luck talking with Italy about getting the identify of the person who owns the 100Mbit dedicated server

An attempt to identify Timberlinebombinfo’s true identity was attempted by the authorities, who subpoenaed MySpace and webmail services, but the person making the threats had sufficiently covered their tracks by apparently using Italian computers to send the messages.

That’s when the FBI came up with an idea. They would infect the suspect’s PC with some spyware called CIPAV (Computer & Internet Protocol Address Verifier) that could report back to them information about the computer (IP address, MAC address, a list of running programs, currently logged-in username and more) that could help identify who was responsible.

The FBI’s attempt to infect the suspect’s computer was successful, and as a consequence a 15-year old student called Josh was arrested.

Now, what hasn’t been commonly known until this week is just *how* the FBI managed to infect Josh’s computer.

Christopher Soghoian, the American Civil Liberties Union’s principal technologist, revealed on Twitter that the FBI sent the malware, via a link in an email deliberately disguised to appear as though it were from the Seattle Times.



This, of course, is precisely the same method that has been used time and time again by cybercriminals over the years – posing as breaking news stories likely to interest recipients, but in reality using social engineering to trick users into clicking on a link to a malware poisoned webpage.

But just because it’s a trick that malicious hackers have proven works time and time again, does that make it right for law enforcement authorities to use it too?

Was it really necessary for the FBI to use the name of a genuine media organisation, without its permission, rather than invent a media outlet for their purposes which wouldn’t bring a real legitimate firm into potential disrepute?

The Seattle Times was less than impressed to find, belatedly, that the FBI had exploited its name in this way:

“We are outraged that the FBI, with the apparent assistance of the U.S. Attorney`s Office, misappropriated the name of The Seattle Times to secretly install spyware on the computer of a crime suspect,” said Seattle Times Editor Kathy Best.

“Not only does that cross a line, it erases it,” she said.

“Our reputation and our ability to do our job as a government watchdog are based on trust. Nothing is more fundamental to that trust than our independence ” from law enforcement, from government, from corporations and from all other special interests,” Best said. “The FBI`s actions, taken without our knowledge, traded on our reputation and put it at peril.”

Paul Colford, a spokesperson for the Associated Press, was similarly aggrieved by the FBI’s actions:

“We are extremely concerned and find it unacceptable that the FBI misappropriated the name of The Associated Press and published a false story attributed to AP. This ploy violated AP`s name and undermined AP`s credibility.”

However, in the opinion of Frank Montoya Jr, who heads up the FBI in Seattle, the public interest was served by the agency’s actions:

“Every effort we made in this investigation had the goal of preventing a tragic event like what happened at Marysville and Seattle Pacific University. We identified a specific subject of an investigation and used a technique that we deemed would be effective in preventing a possible act of violence in a school setting. Use of that type of technique happens in very rare circumstances and only when there is sufficient reason to believe it could be successful in resolving a threat. We were fortunate that information provided by the public gave us the opportunity to step in to a potentially dangerous situation before it was too late.”

What do you think? Was the FBI right to do what it did? Are the news agencies wrong to complain that their name was used in this way? Or are the authorities overstepping the mark in the belief that the end justifies the means? Have your say by leaving a comment below.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like