Two months ago, the Federal Bureau of Investigation (FBI) alerted the public to a list of domains that could easily be mistaken to be part of its network. The list of artifacts contained a total of 92 domain names, 78 of which led to potentially malicious websites, while the remaining 14 have yet to be activated or are no longer active as of 23 November 2020.

How Does the Ruse Work?

It is common for threat actors to spoof the domains of legitimate and well-respected organizations to gain the public's trust in phishing emails and scams. Typical end goals include disseminating false information; gathering valid usernames, passwords, and email addresses; collecting personally identifiable information (PII); and spreading malware, leading to further compromises and potential financial losses.

Threat actors often mimic the domains of institutions like the FBI by slightly changing their legitimate counterparts' characteristics. Spoofed domain names may contain misspellings or use alternative top-level domain (TLDs), such as a .com instead of .gov.

Who Is at Risk?

U.S. citizens could unknowingly access the websites the spoofed domains point to while seeking information related to the FBI and its ongoing activities. Worse, threat actors could use email accounts seemingly belonging to the institution to convince people into downloading a piece of malware, putting their systems and data at risk.

Given the potential dangers, the FBI urges citizens to carefully evaluate the domains they access and scrutinize the messages they receive to make sure these are really part of the FBI network. Best practices include:

• Verifying how web addresses, website names and content, and email addresses are spelled
• Ensuring operating systems (OSs) and applications are always patched
• Updating anti-malware and antivirus software regularly
• Performing regular network scans
• Disabling macros on documents downloaded from unfamiliar sources
• Refraining from opening emails or downloading attachments from unknown senders
• Never providing personal information via email
• Using strong two-factor authentication, if possible
• Enabling domain whitelisting apart from blacklisting
• Ridding systems of unnecessary applications
• Verifying that every website one visits has a Secure Sockets Layer (SSL) certificate

What Domains Should the American Public Be Wary Of?

The complete list of harmful and suspicious domain names identified by the FBI can be seen in Table 1 below.

Domain malware checks via VirusTotal revealed that 66 of these 92 domain names (72%) were dubbed "malicious."

Connected Domains and IP Addresses to Steer Clear Of

Apart from the published artifacts, it is also possible to identify multiple connected domains and IP addresses as enumerated in Table 2, 17 of which also proved malicious. Some of the additional 5,140 domains may be malicious or at least suspicious.

Public IoC releases are indeed helpful to IT security teams whose main goal is to keep their organizations' infrastructure and confidential data protected at all costs. At times, however, they are not complete. As the short study featured in this post shows, users who want top-notch security may need to do extra research to include all possible threat vectors in their blacklists, including the use of Domain, IP, and other threat intelligence tools.