A recent FBI announcement warned that threat actors are creating domains that spoof the law enforcement agency’s official websites.

Inside the FBI Announcement

On Nov. 23, 2020, the FBI warned that malicious actors were using domain spoofing to look like its real websites. The FBI announcement listed 99 websites that threat actors had set up. Each was meant to look like its main official website, www.fbi[dot]gov.

Some of those spoofed domains simply used different top level domains than the bureau’s official website. These included fbi[dot]camera, fbi[dot]cash, fbi[dot]health, fbi[dot]studio and fbi[dot]systems. One domain, fbi[dot]ca, used the country code top-level domain for Canada.

Meanwhile, other domains were a bit more lengthy. These included fbiorganisation[dot]online, fbigrantinvestigation[dot]com and fbifraud[dot]primebnkonline[dot]com.

At the time of the FBI announcement, the agency had found 14 of the 99 spoofed domains were unable to resolve. A few of those domains got creative with country code top-level domains. These included fbilibrary[dot]ml (using the country code for Mali) and fbi99[dot]cn (the code for the People’s Republic of China).

The url fbiboston[dot]com[dot]jo is one of the stranger ones. This curious example uses the city of Boston and the country of Jordan in the same domain.

As the FBI announcement said, the danger here is that people could visit one of the fakes when looking for official sites.

There’s also the potential that threat actors could use seemingly official email accounts to trick readers. This is a common tactic for leading people into visiting malicious websites or downloading malware.

Other Targets of Domain Spoofing

Back in early November, malicious actors impersonated the IRS. They leveraged that disguise along with the spoofed domain [email protected][dot]gov to trick people into handing over their payment information.

Less than a month later, a spear-phishing campaign targeted mostly users who worked in the financial services, health care, insurance, manufacturing, utilities and telecom industries. Like the one in the FBI announcement, that campaign made the attack emails look as though they had come from the real domain [email protected][dot]com. Clicking on an embedded link led to a fake Microsoft login page designed to steal Office 365 credentials.

It was around that same time that government-authorized nonprofit investment security firm FINRA published a regulatory notice warning users to be on the lookout for an attack campaign. The operation used fraudulent emails that included the domain @invest-finra[dot]org.

How to Not Fall for a Spoofed Domain

Employers can help their users to not fall for a spoofed domain such as the ones in the FBI announcement by investing in ongoing security awareness training for their entire workforce. First, they should conduct phishing tests that use spoofed domains in order to check employees’ behavior. By raising awareness around tricks like the ones in this FBI announcement, employers can emphasize the importance of checking email links and attachments sent by strangers.

In addition, make sure you’re prepared to respond to a successful phishing scam such as the one in the FBI announcement. Employers should consider putting together an incident response plan and building an incident response team. Going forward, test both the plan and team on a regular basis.

More from News

Costa Rica State of Emergency Declared After Ransomware Attacks

In late April, after weeks of major ransomware attacks, Costa Rica declared a state of emergency. Newly-elected President Rodrigo Chaves took this measure, usually reserved to deal with natural disasters, to free up the government to react more decisively to the incident. The Russian-based Conti gang has claimed they launched the attack. Meanwhile, the U.S. Department of State offered a $10 million reward for information that leads to finding anyone holding a key leadership role in the Conti gang. The…

Ransomware-as-a-Service Transforms Gangs Into Businesses

Malware-as-a-Service is getting easier and easier to access, according to a recent threat report. Self-named the ‘Eternity Project’, this cyber threat group offers services from a Tor website and on their Telegram channel. They sell a wide variety of malware in an organized fashion, including stealer, clipper, worm, miner, ransomware and distributed-denial-of-service bot services. This alarms many security professionals. With Eternity, even inexperienced cyber criminals can target victims with a customized threat offering. Eternity sells malware for $90 to $490.…

UK Health System Email Accounts Hijacked to Steal Microsoft Logins

Last summer, I noticed password reset notices in my email account that I didn’t send. I quickly realized that I was the victim of an account takeover. This happens when someone illegally gains access to your account, typically through compromised credentials. I changed my email password right away and learned that my passwords to other accounts had already been changed. To make cleanup even more fun, I found out that the attackers had created new accounts using my credentials. Account…

LemonDuck Cryptojacking Botnet Targets API Security Gap

A recent report reveals the well-known crypto mining botnet LemonDuck can target Docker to secretly mine cryptocurrency on the Linux platform. LemonDuck targets Microsoft Exchange servers to mine crypto, escalate privileges and move sideways in compromised networks. It takes advantage of Docker, a mainstream platform used for building, running and managing containerized workloads. Since Docker runs container workloads in the cloud, a misconfigured cloud instance can expose a Docker API to the internet. Attackers can then exploit this API to…