What Are the Connected Assets of Confirmed Fake FBI Domains?

Read the original article: What Are the Connected Assets of Confirmed Fake FBI Domains?

Two months ago, the Federal Bureau of Investigation (FBI) alerted the public to a list of domains that could easily be mistaken to be part of its network. The list of artifacts contained a total of 92 domain names, 78 of which led to potentially malicious websites, while the remaining 14 have yet to be activated or are no longer active as of 23 November 2020.

How Does the Ruse Work?

It is common for threat actors to spoof the domains of legitimate and well-respected organizations to gain the public’s trust in phishing emails and scams. Typical end goals include disseminating false information; gathering valid usernames, passwords, and email addresses; collecting personally identifiable information (PII); and spreading malware, leading to further compromises and potential financial losses.

Threat actors often mimic the domains of institutions like the FBI by slightly changing their legitimate counterparts’ characteristics. Spoofed domain names may contain misspellings or use alternative top-level domain (TLDs), such as a .com instead of .gov.

Who Is at Risk?

U.S. citizens could unknowingly access the websites the spoofed domains point to while seeking information related to the FBI and its ongoing activities. Worse, threat actors could use email accounts seemingly belonging to the institution to convince people into downloading a piece of malware, putting their systems and data at risk.

Given the potential dangers, the FBI urges citizens to carefully evaluate the domains they access and scrutinize the messages they receive to make sure these are really part of the FBI network. Best practices include:

Verifying how web addresses, website names and content, and email addresses are spelled
Ensuring operating systems (OSs) and applications are always patched
Updating anti-malware and antivirus software regularly
Performing regular network scans
Disabling macros on documents downloaded from unfamiliar sources
Refraining from opening emails or downloading attachments from unknown senders
Never providing personal information via email
Using strong two-factor authentication, if possible
Enabling domain whitelisting apart from blacklisting
Ridding systems of unnecessary applications
Verifying that every website one visits has a Secure Sockets Layer (SSL) certificate

What Domains Should the American Public Be Wary Of?

The complete list of harmful and suspicious domain names identified by the FBI can be seen in Table 1 below.

Table 1: Confirmed Fake FBI Domains
agenciafbi[.]ga	fbiigovv[.]com	infofbi-unit[.]com
authefbi[.]ga	fbi-intel[.]com	johnsonfbi[.]com
cyber-crime-fbi[.]org	fbikids[.]com	legalienfbi[.]com
fbi[.]camera	fbimaryland[.]org	plapper-fbi[.]com
fbi[.]cash	fbimaxwell[.]com	powerfulfbi[.]ninja
fbi[.]ca	fbimostwanted[.]info	us-fbigov[.]com
fbi[.]health	fbi-news[.]com	virtualfbi[.]com
fbi[.]studio	fbinews[.]ga	xalienfbi[.]com
fbi[.]systems	fbinews[.]online	x-alienfbi[.]com
fbi[.]xn--mgbayh7gpa	fbinigeria[.]org	fbi-fraud[.]com
fbi0[.]com	fbi-ny[.]com	fbidefense[.]com
fbibau[.]us	fbioffice[.]ml	fbienglish[.]com
fbi2[.]com	fbi-official[.]com	fbifrauddepartment[.]org
fbi-unit[.]net	fbiofficial[.]online	fbifraud[.]primebnkonline[.]com
fbi3262[.]live	fbione[.]com	fbiglobalgp[.]com
fbi7[.]cn	fbiopenthedoor[.]icu	fbigov[.]art
fbi9[.]com	fbiorganisation[.]online	fbi-gov[.]network
fbi9[.]me	fbiorganization[.]club	fbigrantinvestigation[.]com
fbiagent[.]online	fbipedophilerings[.]com	fbiinspectionunit[.]com
fbi-augustyn[.]pl	fbiphoto[.]com	fbi-police[.]com
fbiaustralia[.]com	fbireserveco[.]biz	fbi-c-d[.]com[.]co
fbibau[.]de	fbireport[.]us	fbicyberdivision[.]com
fbi-bau[.]de	fbiusagov[.]online	hdqkfbi[.]cn
fbi-biz[.]com	fbiurl[.]com	ic-fbi[.]org
fbiboston[.]xn--mgbayh7gpa	fbiusagov[.]com	fbiwarning[.]club
fbi-c[.]com[.]co	fbiusgov[.]com	fbi-cd[.]com[.]co
fbihelp[.]org	fbi-belote[.]com	fbilibrary[.]ml
fbigiftshop[.]shop	fbispassport[.]gq	fbi-pay[.]com
fbiboston[.]com[.]jo	fbi99[.]cn	fbi2000[.]com
fbiusa[.]net	fbi[.]com[.]jo	fbipublicidad[.]com
fbi-usa[.]us	fbi058[.]com

Domain malware checks via VirusTotal revealed that 66 of these 92 domain names (72%) were dubbed “malicious.”

Connected Domains and IP Addresses to Steer Clear Of

Apart from the published artifacts, it is also possible to identify multiple connected domains and IP addresses as enumerated in Table 2, 17 of which also proved malicious. Some of the additional 5,140 domains may be malicious or at least suspicious.

Table 2: Malicious Connected IP Addresses and Domains According to VirusTotal as of 2 January 2021
Malicious FBI-Identified Domain	Connected IP Addresses(DNS Lookup API)	Number of Connected Domains(Reverse IP/DNS API)
cyber-crime-fbi[.]org	192[.]64[.]119[.]70	40
fbi[.]camera	34[.]102[.]136[.]180	300+
fbi[.]ca	199[.]59[.]242[.]153	300+
fbi[.]studio	34[.]102[.]136[.]180	300+
fbi-unit[.]net	208[.]91[.]197[.]91	300+
fbi9[.]me	217[.]70[.]184[.]38	300+
fbi-c[.]com[.]co	34[.]102[.]136[.]180	300+
fbimaryland[.]org	217[.]70[.]184[.]38	300+
fbimaxwell[.]com	91[.]195[.]240[.]94	300+
fbimostwanted[.]info	34[.]102[.]136[.]180	300+
fbi-news[.]com	198[.]54[.]117[.]197	300+
fbi-ny[.]com	208[.]91[.]197[.]91	300+
fbiorganisation[.]online	34.102.136.180	300+
fbireport[.]us	23.94.191.90	300+
legalienfbi[.]com	34.102.136.180	300+
x-alienfbi[.]com	34.102.136.180	300+
fbi-c-d[.]com[.]co	34.102.136.180	300+

Public IoC releases are indeed helpful to IT security teams whose main goal is to keep their organizations’ infrastructure and confidential data protected at all costs. At times, however, they are not complete. As the short study featured in this post shows, users who want top-notch security may need to do extra research to include all possible threat vectors in their blacklists, including the use of Domain, IP, and other threat intelligence tools.

Written by Jonathan Zhang, Founder and CEO of WhoisXMLAPI & ThreatIntelligencePlatform.com

Become a supporter of IT Security News and help us remove the ads.