Home / Blogs

What Are the Connected Assets of Confirmed Fake FBI Domains?

Two months ago, the Federal Bureau of Investigation (FBI) alerted the public to a list of domains that could easily be mistaken to be part of its network. The list of artifacts contained a total of 92 domain names, 78 of which led to potentially malicious websites, while the remaining 14 have yet to be activated or are no longer active as of 23 November 2020.

How Does the Ruse Work?

It is common for threat actors to spoof the domains of legitimate and well-respected organizations to gain the public’s trust in phishing emails and scams. Typical end goals include disseminating false information; gathering valid usernames, passwords, and email addresses; collecting personally identifiable information (PII); and spreading malware, leading to further compromises and potential financial losses.

Threat actors often mimic the domains of institutions like the FBI by slightly changing their legitimate counterparts’ characteristics. Spoofed domain names may contain misspellings or use alternative top-level domain (TLDs), such as a .com instead of .gov.

Who Is at Risk?

U.S. citizens could unknowingly access the websites the spoofed domains point to while seeking information related to the FBI and its ongoing activities. Worse, threat actors could use email accounts seemingly belonging to the institution to convince people into downloading a piece of malware, putting their systems and data at risk.

Given the potential dangers, the FBI urges citizens to carefully evaluate the domains they access and scrutinize the messages they receive to make sure these are really part of the FBI network. Best practices include:

  • Verifying how web addresses, website names and content, and email addresses are spelled
  • Ensuring operating systems (OSs) and applications are always patched
  • Updating anti-malware and antivirus software regularly
  • Performing regular network scans
  • Disabling macros on documents downloaded from unfamiliar sources
  • Refraining from opening emails or downloading attachments from unknown senders
  • Never providing personal information via email
  • Using strong two-factor authentication, if possible
  • Enabling domain whitelisting apart from blacklisting
  • Ridding systems of unnecessary applications
  • Verifying that every website one visits has a Secure Sockets Layer (SSL) certificate

What Domains Should the American Public Be Wary Of?

The complete list of harmful and suspicious domain names identified by the FBI can be seen in Table 1 below.

Table 1: Confirmed Fake FBI Domains
agenciafbi[.]gafbiigovv[.]cominfofbi-unit[.]com
authefbi[.]gafbi-intel[.]comjohnsonfbi[.]com
cyber-crime-fbi[.]orgfbikids[.]comlegalienfbi[.]com
fbi[.]camerafbimaryland[.]orgplapper-fbi[.]com
fbi[.]cashfbimaxwell[.]compowerfulfbi[.]ninja
fbi[.]cafbimostwanted[.]infous-fbigov[.]com
fbi[.]healthfbi-news[.]comvirtualfbi[.]com
fbi[.]studiofbinews[.]gaxalienfbi[.]com
fbi[.]systemsfbinews[.]onlinex-alienfbi[.]com
fbi[.]xn—mgbayh7gpafbinigeria[.]orgfbi-fraud[.]com
fbi0[.]comfbi-ny[.]comfbidefense[.]com
fbibau[.]usfbioffice[.]mlfbienglish[.]com
fbi2[.]comfbi-official[.]comfbifrauddepartment[.]org
fbi-unit[.]netfbiofficial[.]onlinefbifraud[.]primebnkonline[.]com
fbi3262[.]livefbione[.]comfbiglobalgp[.]com
fbi7[.]cnfbiopenthedoor[.]icufbigov[.]art
fbi9[.]comfbiorganisation[.]onlinefbi-gov[.]network
fbi9[.]mefbiorganization[.]clubfbigrantinvestigation[.]com
fbiagent[.]onlinefbipedophilerings[.]comfbiinspectionunit[.]com
fbi-augustyn[.]plfbiphoto[.]comfbi-police[.]com
fbiaustralia[.]comfbireserveco[.]bizfbi-c-d[.]com[.]co
fbibau[.]defbireport[.]usfbicyberdivision[.]com
fbi-bau[.]defbiusagov[.]onlinehdqkfbi[.]cn
fbi-biz[.]comfbiurl[.]comic-fbi[.]org
fbiboston[.]xn—mgbayh7gpafbiusagov[.]comfbiwarning[.]club
fbi-c[.]com[.]cofbiusgov[.]comfbi-cd[.]com[.]co
fbihelp[.]orgfbi-belote[.]comfbilibrary[.]ml
fbigiftshop[.]shopfbispassport[.]gqfbi-pay[.]com
fbiboston[.]com[.]jofbi99[.]cnfbi2000[.]com
fbiusa[.]netfbi[.]com[.]jofbipublicidad[.]com
fbi-usa[.]usfbi058[.]com

Domain malware checks via VirusTotal revealed that 66 of these 92 domain names (72%) were dubbed “malicious.”

Connected Domains and IP Addresses to Steer Clear Of

Apart from the published artifacts, it is also possible to identify multiple connected domains and IP addresses as enumerated in Table 2, 17 of which also proved malicious. Some of the additional 5,140 domains may be malicious or at least suspicious.

Table 2: Malicious Connected IP Addresses and Domains According to VirusTotal as of 2 January 2021
Malicious FBI-Identified DomainConnected IP Addresses(DNS Lookup API)Number of Connected Domains(Reverse IP/DNS API)
cyber-crime-fbi[.]org192[.]64[.]119[.]7040
fbi[.]camera34[.]102[.]136[.]180300+
fbi[.]ca199[.]59[.]242[.]153300+
fbi[.]studio34[.]102[.]136[.]180300+
fbi-unit[.]net208[.]91[.]197[.]91300+
fbi9[.]me217[.]70[.]184[.]38300+
fbi-c[.]com[.]co34[.]102[.]136[.]180300+
fbimaryland[.]org217[.]70[.]184[.]38300+
fbimaxwell[.]com91[.]195[.]240[.]94300+
fbimostwanted[.]info34[.]102[.]136[.]180300+
fbi-news[.]com198[.]54[.]117[.]197300+
fbi-ny[.]com208[.]91[.]197[.]91300+
fbiorganisation[.]online34.102.136.180300+
fbireport[.]us23.94.191.90300+
legalienfbi[.]com34.102.136.180300+
x-alienfbi[.]com34.102.136.180300+
fbi-c-d[.]com[.]co34.102.136.180300+

Public IoC releases are indeed helpful to IT security teams whose main goal is to keep their organizations’ infrastructure and confidential data protected at all costs. At times, however, they are not complete. As the short study featured in this post shows, users who want top-notch security may need to do extra research to include all possible threat vectors in their blacklists, including the use of Domain, IP, and other threat intelligence tools.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Jonathan Zhang, Founder and CEO of WhoisXMLAPI & ThreatIntelligencePlatform.com

Filed Under

Comments

In addition to mentioned potential usage, there Derek  –  Feb 13, 2021 10:43 PM

In addition to mentioned potential usage, there is one definite additional usage. In fact this is how we found this post.

419 Fraud: Where victims refuse to pay “fees”, the fake FBI will contact the victim. This does not have to be a US victim either, the reach is global. The victim is now threatened with arrest for money laundering, not paying taxes or whatever grabs the imagination of the scammer.

Another small issue not considered: The domain does not have to have a website to be abused, only a working email. In fact the latter is more common and any authority can be spoofed this way.

This form of domain abuse has been around since at least the early 2000’s, yet many people still don’t get this part. Instead the standard traditional old-school ITSec thought processes applies and the threat assessment fails. They is why BEC has grown so successfully. A lot of 419 is convincing eye candy with domains being cheap commodity items to be abused.

On the counter non-delivery scam side that Interpol recently alerted about in a Purple Notice, we equally see parties like the DEA and FDA spoofed to blackmail victims. In fact both have an alert out on this.
https://www.deadiversion.usdoj.gov/pubs/pressreleases/extortion_scam.htm
https://www.fda.gov/news-events/press-announcements/fda-warns-imposters-sending-consumers-fake-warning-letters

I thought it important to clarify this. Thanks.

Derek, very nice addition here. 419 fraud Jonathan Zhang  –  Feb 15, 2021 8:41 PM

Derek, very nice addition here. 419 fraud (which I believe has also been coined the Nigerian scam) is definitely a problem. By the way, is there a way we can connect to continue this chat? You can find me on LinkedIn at https://www.linkedin.com/in/jonathanmzhang/ or email me at [email protected].

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix