FBI hunts terror suspect through malware, Yahoo, Google

The FBI has been using malware as a means to hunt down certain suspects, as exemplified in the case of a man who has been making bomb threats since June 2012, reports the Washington Post. Some of the malware was a surveillance program planted onto the suspect's computer when he signed into his Yahoo account, but the malware didn't work. The suspect, Mohammed Arian Far — "Mo" for short — has not yet been apprehended, though the FBI continues its high-tech search tactics of Mo and others.

Before the Yahoo operation, the FBI was able to attain some initial information about Mo by petitioning Google directly to cough up some data. Agents found the Google account name he had been using to call the agency with bomb threats via Google Voice. But Mo had been using a virtual proxy to mask his IP address and therefore his physical location (which was suspected to be Iran based on photographs Mo had sent) could not be confirmed.

When Mo switched to a Yahoo account, the FBI attained formal permission from a federal judge to run a malware attack on Mo's computer. The program would download the moment he signed in to his Yahoo account. It would attack a variety of software on the machine for the purpose of eventually ascertaining Mo's exact location. But one instance of the target software had recently undergone an update, so the FBI had to recalibrate the malware and rig his Yahoo account again. Even after that, the software didn't function properly. Add to this a misspelling of his Yahoo address, and that particular portion of the FBI's high-tech sting operation amounted to a mostly fruitless endeavor.

On the bright side for the FBI, Mo's computer did ping an FBI computer, placing him somewhere in Tehran as of last December (a year ago.) But that's not accurate enough location data to attain a positive ID. The hunt continues.

The FBI will not divulge detailed information about how it carried out the Yahoo-based sting on Mo, but it is somewhat reminiscent of the quantum inserts routinely performed by the NSA and GCHQ. In some instances, the two agencies served up false copies of LinkedIn to target individuals and companies in order to install malware which could then be used for spying on data. Quantum inserts are made possible by establishing data intercepts at key points along the global Internet backbone and harnessing the unparalleled processing power of the NSA to beat the genuine website to the punch when serving up the faked web page.

The Post article also highlighted the occasional use of remote webcam operation, which the FBI has been doing for years. With a judge's permission and in extreme cases, the FBI can activate a webcam without the power indicator light turning on. This tactic was not used in pursuit of Mo, but it is used for other serious cases.

SOURCE: Washington Post