Notably, only one other domain has previously resolved to the same IP address as the fake FedEx page; a domain that eludes to a law firm. The site only existed for a short time, is offline at the time of writing, and seems to have a very small digital fingerprint. It appears this law firm domain may also be connected to the FBI.

Caption: A section of one of the warrant applications describing the fake FedEx website. Image: Motherboard.

That FedEx unmasking attempt was not successful, it seems—the cybercriminal checked the link from six different IP addresses, some including proxies—and the FBI moved on to use a network investigative technique, or NIT, instead. NIT is an umbrella term the FBI uses for a variety of hacking approaches. Previous cases have used a Tor Browser exploit to break into a target’s computer and force it to connect to an FBI server, revealing the target’s real IP address. Other NITs have been somewhat less technically sophisticated, and included booby-trapped video or Word files that once opened also ‘phone home’ to the FBI.



This new NIT falls into that latter category. The FBI attempted to locate the cybercriminals with a Word document containing an image that would connect to the FBI server and reveal the target’s IP address, according to court records. The image was a screenshot of a FedEx tracking portal for a sent payment, the court records add.

In the second case found by Motherboard, in August 2017, a business in the Western District of New York received an email claiming to be from Invermar, a Chilean seafood vendor and one of the company’s suppliers, according to court records. This email, posing as a known employee of Invermar, asked the victim to send funds to a new bank account. Whereas the legitimate Invermar domain ends with a .cl suffix, the hackers used one ending in .us. The business the hackers targeted apparently didn't notice the different suffix, and over the course of September and October wire transferred around $1.2 million to the cybercriminals, with the victim eventually able to recover $300,000 (the court documents don’t specify how exactly, although a charge back seems likely).