Home / Blogs

What Are the Connected Assets of Confirmed Fake FBI Domains?

Two months ago, the Federal Bureau of Investigation (FBI) alerted the public to a list of domains that could easily be mistaken to be part of its network. The list of artifacts contained a total of 92 domain names, 78 of which led to potentially malicious websites, while the remaining 14 have yet to be activated or are no longer active as of 23 November 2020.

How Does the Ruse Work?

It is common for threat actors to spoof the domains of legitimate and well-respected organizations to gain the public's trust in phishing emails and scams. Typical end goals include disseminating false information; gathering valid usernames, passwords, and email addresses; collecting personally identifiable information (PII); and spreading malware, leading to further compromises and potential financial losses.

Threat actors often mimic the domains of institutions like the FBI by slightly changing their legitimate counterparts' characteristics. Spoofed domain names may contain misspellings or use alternative top-level domain (TLDs), such as a .com instead of .gov.

Who Is at Risk?

U.S. citizens could unknowingly access the websites the spoofed domains point to while seeking information related to the FBI and its ongoing activities. Worse, threat actors could use email accounts seemingly belonging to the institution to convince people into downloading a piece of malware, putting their systems and data at risk.

Given the potential dangers, the FBI urges citizens to carefully evaluate the domains they access and scrutinize the messages they receive to make sure these are really part of the FBI network. Best practices include:

  • Verifying how web addresses, website names and content, and email addresses are spelled
  • Ensuring operating systems (OSs) and applications are always patched
  • Updating anti-malware and antivirus software regularly
  • Performing regular network scans
  • Disabling macros on documents downloaded from unfamiliar sources
  • Refraining from opening emails or downloading attachments from unknown senders
  • Never providing personal information via email
  • Using strong two-factor authentication, if possible
  • Enabling domain whitelisting apart from blacklisting
  • Ridding systems of unnecessary applications
  • Verifying that every website one visits has a Secure Sockets Layer (SSL) certificate

What Domains Should the American Public Be Wary Of?

The complete list of harmful and suspicious domain names identified by the FBI can be seen in Table 1 below.

Table 1: Confirmed Fake FBI Domains
agenciafbi[.]gafbiigovv[.]cominfofbi-unit[.]com
authefbi[.]gafbi-intel[.]comjohnsonfbi[.]com
cyber-crime-fbi[.]orgfbikids[.]comlegalienfbi[.]com
fbi[.]camerafbimaryland[.]orgplapper-fbi[.]com
fbi[.]cashfbimaxwell[.]compowerfulfbi[.]ninja
fbi[.]cafbimostwanted[.]infous-fbigov[.]com
fbi[.]healthfbi-news[.]comvirtualfbi[.]com
fbi[.]studiofbinews[.]gaxalienfbi[.]com
fbi[.]systemsfbinews[.]onlinex-alienfbi[.]com
fbi[.]xn--mgbayh7gpafbinigeria[.]orgfbi-fraud[.]com
fbi0[.]comfbi-ny[.]comfbidefense[.]com
fbibau[.]usfbioffice[.]mlfbienglish[.]com
fbi2[.]comfbi-official[.]comfbifrauddepartment[.]org
fbi-unit[.]netfbiofficial[.]onlinefbifraud[.]primebnkonline[.]com
fbi3262[.]livefbione[.]comfbiglobalgp[.]com
fbi7[.]cnfbiopenthedoor[.]icufbigov[.]art
fbi9[.]comfbiorganisation[.]onlinefbi-gov[.]network
fbi9[.]mefbiorganization[.]clubfbigrantinvestigation[.]com
fbiagent[.]onlinefbipedophilerings[.]comfbiinspectionunit[.]com
fbi-augustyn[.]plfbiphoto[.]comfbi-police[.]com
fbiaustralia[.]comfbireserveco[.]bizfbi-c-d[.]com[.]co
fbibau[.]defbireport[.]usfbicyberdivision[.]com
fbi-bau[.]defbiusagov[.]onlinehdqkfbi[.]cn
fbi-biz[.]comfbiurl[.]comic-fbi[.]org
fbiboston[.]xn--mgbayh7gpafbiusagov[.]comfbiwarning[.]club
fbi-c[.]com[.]cofbiusgov[.]comfbi-cd[.]com[.]co
fbihelp[.]orgfbi-belote[.]comfbilibrary[.]ml
fbigiftshop[.]shopfbispassport[.]gqfbi-pay[.]com
fbiboston[.]com[.]jofbi99[.]cnfbi2000[.]com
fbiusa[.]netfbi[.]com[.]jofbipublicidad[.]com
fbi-usa[.]usfbi058[.]com

Domain malware checks via VirusTotal revealed that 66 of these 92 domain names (72%) were dubbed "malicious."

Connected Domains and IP Addresses to Steer Clear Of

Apart from the published artifacts, it is also possible to identify multiple connected domains and IP addresses as enumerated in Table 2, 17 of which also proved malicious. Some of the additional 5,140 domains may be malicious or at least suspicious.

Table 2: Malicious Connected IP Addresses and Domains According to VirusTotal as of 2 January 2021
Malicious FBI-Identified DomainConnected IP Addresses(DNS Lookup API)Number of Connected Domains(Reverse IP/DNS API)
cyber-crime-fbi[.]org192[.]64[.]119[.]7040
fbi[.]camera34[.]102[.]136[.]180300+
fbi[.]ca199[.]59[.]242[.]153300+
fbi[.]studio34[.]102[.]136[.]180300+
fbi-unit[.]net208[.]91[.]197[.]91300+
fbi9[.]me217[.]70[.]184[.]38300+
fbi-c[.]com[.]co34[.]102[.]136[.]180300+
fbimaryland[.]org217[.]70[.]184[.]38300+
fbimaxwell[.]com91[.]195[.]240[.]94300+
fbimostwanted[.]info34[.]102[.]136[.]180300+
fbi-news[.]com198[.]54[.]117[.]197300+
fbi-ny[.]com208[.]91[.]197[.]91300+
fbiorganisation[.]online34.102.136.180300+
fbireport[.]us23.94.191.90300+
legalienfbi[.]com34.102.136.180300+
x-alienfbi[.]com34.102.136.180300+
fbi-c-d[.]com[.]co34.102.136.180300+


Public IoC releases are indeed helpful to IT security teams whose main goal is to keep their organizations' infrastructure and confidential data protected at all costs. At times, however, they are not complete. As the short study featured in this post shows, users who want top-notch security may need to do extra research to include all possible threat vectors in their blacklists, including the use of Domain, IP, and other threat intelligence tools.

By Jonathan Zhang, Founder and CEO of WhoisXMLAPI & ThreatIntelligencePlatform.com

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

In addition to mentioned potential usage, there By Derek  –  Feb 13, 2021 2:43 pm PST

In addition to mentioned potential usage, there is one definite additional usage. In fact this is how we found this post.

419 Fraud: Where victims refuse to pay "fees", the fake FBI will contact the victim. This does not have to be a US victim either, the reach is global. The victim is now threatened with arrest for money laundering, not paying taxes or whatever grabs the imagination of the scammer.

Another small issue not considered: The domain does not have to have a website to be abused, only a working email. In fact the latter is more common and any authority can be spoofed this way.

This form of domain abuse has been around since at least the early 2000's, yet many people still don't get this part. Instead the standard traditional old-school ITSec thought processes applies and the threat assessment fails. They is why BEC has grown so successfully. A lot of 419 is convincing eye candy with domains being cheap commodity items to be abused.

On the counter non-delivery scam side that Interpol recently alerted about in a Purple Notice, we equally see parties like the DEA and FDA spoofed to blackmail victims. In fact both have an alert out on this.
https://www.deadiversion.usdoj.gov/pubs/pressreleases/extortion_scam.htm
https://www.fda.gov/news-events/press-announcements/fda-warns-imposters-sending-consumers-fake-warning-letters

I thought it important to clarify this. Thanks.

Derek, very nice addition here. 419 fraud By Jonathan Zhang  –  Feb 15, 2021 12:41 pm PST

Derek, very nice addition here. 419 fraud (which I believe has also been coined the Nigerian scam) is definitely a problem. By the way, is there a way we can connect to continue this chat? You can find me on LinkedIn at https://www.linkedin.com/in/jonathanmzhang/ or email me at [email protected]

Add Your Comments

 To post your comments, please login or create an account.

Related

Topics

Cybercrime

Sponsored byThreat Intelligence Platform

DNS Security

Sponsored byAfilias

Whois

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias

Brand Protection

Sponsored byAppdetex

IP Addressing

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign