|
Two months ago, the Federal Bureau of Investigation (FBI) alerted the public to a list of domains that could easily be mistaken to be part of its network. The list of artifacts contained a total of 92 domain names, 78 of which led to potentially malicious websites, while the remaining 14 have yet to be activated or are no longer active as of 23 November 2020.
It is common for threat actors to spoof the domains of legitimate and well-respected organizations to gain the public’s trust in phishing emails and scams. Typical end goals include disseminating false information; gathering valid usernames, passwords, and email addresses; collecting personally identifiable information (PII); and spreading malware, leading to further compromises and potential financial losses.
Threat actors often mimic the domains of institutions like the FBI by slightly changing their legitimate counterparts’ characteristics. Spoofed domain names may contain misspellings or use alternative top-level domain (TLDs), such as a .com instead of .gov.
U.S. citizens could unknowingly access the websites the spoofed domains point to while seeking information related to the FBI and its ongoing activities. Worse, threat actors could use email accounts seemingly belonging to the institution to convince people into downloading a piece of malware, putting their systems and data at risk.
Given the potential dangers, the FBI urges citizens to carefully evaluate the domains they access and scrutinize the messages they receive to make sure these are really part of the FBI network. Best practices include:
The complete list of harmful and suspicious domain names identified by the FBI can be seen in Table 1 below.
agenciafbi[.]ga | fbiigovv[.]com | infofbi-unit[.]com |
authefbi[.]ga | fbi-intel[.]com | johnsonfbi[.]com |
cyber-crime-fbi[.]org | fbikids[.]com | legalienfbi[.]com |
fbi[.]camera | fbimaryland[.]org | plapper-fbi[.]com |
fbi[.]cash | fbimaxwell[.]com | powerfulfbi[.]ninja |
fbi[.]ca | fbimostwanted[.]info | us-fbigov[.]com |
fbi[.]health | fbi-news[.]com | virtualfbi[.]com |
fbi[.]studio | fbinews[.]ga | xalienfbi[.]com |
fbi[.]systems | fbinews[.]online | x-alienfbi[.]com |
fbi[.]xn—mgbayh7gpa | fbinigeria[.]org | fbi-fraud[.]com |
fbi0[.]com | fbi-ny[.]com | fbidefense[.]com |
fbibau[.]us | fbioffice[.]ml | fbienglish[.]com |
fbi2[.]com | fbi-official[.]com | fbifrauddepartment[.]org |
fbi-unit[.]net | fbiofficial[.]online | fbifraud[.]primebnkonline[.]com |
fbi3262[.]live | fbione[.]com | fbiglobalgp[.]com |
fbi7[.]cn | fbiopenthedoor[.]icu | fbigov[.]art |
fbi9[.]com | fbiorganisation[.]online | fbi-gov[.]network |
fbi9[.]me | fbiorganization[.]club | fbigrantinvestigation[.]com |
fbiagent[.]online | fbipedophilerings[.]com | fbiinspectionunit[.]com |
fbi-augustyn[.]pl | fbiphoto[.]com | fbi-police[.]com |
fbiaustralia[.]com | fbireserveco[.]biz | fbi-c-d[.]com[.]co |
fbibau[.]de | fbireport[.]us | fbicyberdivision[.]com |
fbi-bau[.]de | fbiusagov[.]online | hdqkfbi[.]cn |
fbi-biz[.]com | fbiurl[.]com | ic-fbi[.]org |
fbiboston[.]xn—mgbayh7gpa | fbiusagov[.]com | fbiwarning[.]club |
fbi-c[.]com[.]co | fbiusgov[.]com | fbi-cd[.]com[.]co |
fbihelp[.]org | fbi-belote[.]com | fbilibrary[.]ml |
fbigiftshop[.]shop | fbispassport[.]gq | fbi-pay[.]com |
fbiboston[.]com[.]jo | fbi99[.]cn | fbi2000[.]com |
fbiusa[.]net | fbi[.]com[.]jo | fbipublicidad[.]com |
fbi-usa[.]us | fbi058[.]com |
Domain malware checks via VirusTotal revealed that 66 of these 92 domain names (72%) were dubbed “malicious.”
Apart from the published artifacts, it is also possible to identify multiple connected domains and IP addresses as enumerated in Table 2, 17 of which also proved malicious. Some of the additional 5,140 domains may be malicious or at least suspicious.
Malicious FBI-Identified Domain | Connected IP Addresses(DNS Lookup API) | Number of Connected Domains(Reverse IP/DNS API) |
---|---|---|
cyber-crime-fbi[.]org | 192[.]64[.]119[.]70 | 40 |
fbi[.]camera | 34[.]102[.]136[.]180 | 300+ |
fbi[.]ca | 199[.]59[.]242[.]153 | 300+ |
fbi[.]studio | 34[.]102[.]136[.]180 | 300+ |
fbi-unit[.]net | 208[.]91[.]197[.]91 | 300+ |
fbi9[.]me | 217[.]70[.]184[.]38 | 300+ |
fbi-c[.]com[.]co | 34[.]102[.]136[.]180 | 300+ |
fbimaryland[.]org | 217[.]70[.]184[.]38 | 300+ |
fbimaxwell[.]com | 91[.]195[.]240[.]94 | 300+ |
fbimostwanted[.]info | 34[.]102[.]136[.]180 | 300+ |
fbi-news[.]com | 198[.]54[.]117[.]197 | 300+ |
fbi-ny[.]com | 208[.]91[.]197[.]91 | 300+ |
fbiorganisation[.]online | 34.102.136.180 | 300+ |
fbireport[.]us | 23.94.191.90 | 300+ |
legalienfbi[.]com | 34.102.136.180 | 300+ |
x-alienfbi[.]com | 34.102.136.180 | 300+ |
fbi-c-d[.]com[.]co | 34.102.136.180 | 300+ |
Public IoC releases are indeed helpful to IT security teams whose main goal is to keep their organizations’ infrastructure and confidential data protected at all costs. At times, however, they are not complete. As the short study featured in this post shows, users who want top-notch security may need to do extra research to include all possible threat vectors in their blacklists, including the use of Domain, IP, and other threat intelligence tools.
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byRadix
Sponsored byCSC
Sponsored byVerisign
In addition to mentioned potential usage, there is one definite additional usage. In fact this is how we found this post.
419 Fraud: Where victims refuse to pay “fees”, the fake FBI will contact the victim. This does not have to be a US victim either, the reach is global. The victim is now threatened with arrest for money laundering, not paying taxes or whatever grabs the imagination of the scammer.
Another small issue not considered: The domain does not have to have a website to be abused, only a working email. In fact the latter is more common and any authority can be spoofed this way.
This form of domain abuse has been around since at least the early 2000’s, yet many people still don’t get this part. Instead the standard traditional old-school ITSec thought processes applies and the threat assessment fails. They is why BEC has grown so successfully. A lot of 419 is convincing eye candy with domains being cheap commodity items to be abused.
On the counter non-delivery scam side that Interpol recently alerted about in a Purple Notice, we equally see parties like the DEA and FDA spoofed to blackmail victims. In fact both have an alert out on this.
https://www.deadiversion.usdoj.gov/pubs/pressreleases/extortion_scam.htm
https://www.fda.gov/news-events/press-announcements/fda-warns-imposters-sending-consumers-fake-warning-letters
I thought it important to clarify this. Thanks.
Derek, very nice addition here. 419 fraud (which I believe has also been coined the Nigerian scam) is definitely a problem. By the way, is there a way we can connect to continue this chat? You can find me on LinkedIn at https://www.linkedin.com/in/jonathanmzhang/ or email me at [email protected].