These Days Some Of The Bad Guys Are Even Spoofing FBI-Related Domain Names...

By

RSS

"You don't tug on Superman's cape
You don't spit into the wind
You don't pull the mask off that old Lone Ranger
And you don't mess around with Jim…"

"You Don't Mess Around With Jim"– Jim Croce

I. Introduction

Farsight has previously discussed the problem of spoofed domains in its blogs, see for example:

Unfortunately, spoofed domains remain an everyday occurrence, an ugly reality for

  • Banks
  • Payment card companies, or
  • Brand owners targeted by "knock off" merchandise-sellers.

Yet brands are not the only victims of this type of attack. Federal law enforcement agencies have also been targets. For some people, this is difficult to understand because:

  • Most Americans want to help the good guys win.
  • Most of us have been trained since birth to comply with police officers, particularly Federal agents. If a Federal agent makes a demand, most people will instinctively comply.
  • Many Americans believe the FBI only investigates the most serious of crimes, which further adds to the perceived gravity of an investigation allegedly involving an FBI agent.
  • And so on.

The result is that the spectre of interacting with "the FBI" is potent – when the Federal Bureau of Investigation (or someone claiming to the be the FBI) speaks, most of us will listen and then obey. That's exactly the response bad guys want. And that may be one reason why the bad guys have begun to spoof FBI-related domain names.

For example, yesterday the FBI released Public Service Announcement I-112320-PSA "Spoofed FBI Internet Domains Pose Cyber and Disinformation Risks.

That report lists over 90 domains attempting to spoof the FBI, and notes "This list is not comprehensive but demonstrates the range of spoofed domains that exist."

There are indeed many other likely-spoofed FBI domains, as we'll show later in this blog article.

Targeting the nation's premier law enforcement agency seems like a pretty bold and foolhardy choice to us. It likely reflects an unwarranted sense of invulnerability on the bad guys part: "I can spoof whomever I want, and no one, not even the FBI, can stop me." Maybe, but we doubt that's true. As the Jim Croce song goes, "You don't mess around with Jim," to which I'd add "And you really don't want to mess around with the FBI."

So why this article? Well, we have several motivations:

  • We want to echo the FBI's warning – spoofed domains ARE an ongoing problem on the Internet, and every end-user needs to be very careful to avoid mistakenly trusting easily-misread (or intentionally misleading) domains.
  • We want to show you how to get a list of domains that contain "FBI", as seen by Farsight's new DNSDB Flexible Search service.
  • We want to explain why the FBI can't simply block or seize all domains that contain the string "FBI".

II. How Can This Have Even Have Become A Problem?

Let's begin by explaining why sites such as the FBI run into problems with spoofed domains. The reasons are numerous, including:

  • Domains are cheap and easy to register, and can be used as soon as the domain is registered, no waiting period required. On the other hand, even when pushing really hard, it can take defenders hours or even days to get an evil new domain taken down.
  • Whois privacy and proxy services, as well as wholesale (and over-applied!) GDPR redactions reduce the usability of Whois, and complicate attribution and accountability when domain name abuse occurs.
  • Email clients and web browsers often try to "help" make the Internet "more friendly" by concealing actual network email addresses and website URLs, showing just "formatted email names" or "formatted web site names." When this happens, if you see something that sounds or feels wrong to you, you may need to inspect the raw source code for a message or web page to see what's REALLY going on.
  • Everyone's just so dang busy!

III. Quantitatively, Just How Bad Is The "FBI" Domain Spoofing Problem?

The FBI PSA mentioned 92 domains in their alert, but Farsight DNSDB customers who use Farsight's new Flexible Search can get a more comprehensive view of the domains that may be spoofing "FBI".

Let me show you using dnsdflex, Farsight's new commandline Flexible Search client.

To keep this manageable and relatively current, we'll limit our search to just domains seen during the last 90 days. Our initial run will return up to a million unique fully qualified domain names (FQDNs). Because some FQDNs may actually return multiple record types, in this case we actually ended up with OVER a million results returned.

$ dnsdbflex --regex fbi -A90d -l0 -j > fbi-domains.txt
$ wc -l fbi-domains.txt
1039751 fbi-domains.txt

Because there appear to be potentially more than a million results, we'll ask for a second followup tranche of results, offset by a million results from our initial results:

$ dnsdbflex --regex fbi -A90d -l0 -j -O 1000000 >> fbi-domains.txt
$ wc -l fbi-domains.txt
1312221 fbi-domains.txt

We'll then extract just the RRnames from each record, and check to see how many unique ones we've found:

$ jq -r '.rrname' < fbi-domains.txt | sort -u > fbi-domains-2.txt
$ wc -l fbi-domains-2.txt
1237271 fbi-domains-2.txt

So now we see is that there are nearly 1.24 million unique domains that include "FBI" somewhere in the FQDN. Are these domain names ALL malicious, or at least suspicious?

First of all, remember that Farsight DOESN'T call good or bad. YOU need to decide if a given domain is suspicious or bad.

Secondly, many domains may only "coincidentally" have "FBI" as part of the FQDN – the shorter the string you're matching, the greater the probability that you'll see essentially-irrelevant random matches.

As a first pass, let's trim the hostname part of the names we've discovered (the 2nd-level-dom script we're using to trim the names is available in Appendix I):

$ 2nd-level-dom < fbi-domains-2.txt | sort -u > fbi-domains-3.txt
$ wc -l fbi-domains-3.txt
57752 fbi-domains-3.txt

So from the above, we can see that after removing the hostname part, we have nearly 58,000 unique domains. Some of those domains may no longer mention "FBI" at all, however, if "FBI" was only in the hostname part. Let's check to see how many still "qualify" for further scrutiny:

$ grep fbi fbi-domains-3.txt > fbi-domains-4.txt
$ wc -l fbi-domains-4.txt
32621 fbi-domains-4.txt

Once we've dropped the hostname part, "only" 32,621 of the effective 2nd-level domains have the string "FBI".

Many of those domains may NOT be intentionally spoofing the FBI. Sometimes the "FBI" string will just appear coincidentally in a name. For example:

typesofbikes[dot]com
veincenterofbirmingham[dot]com
wolfbitefiberworks[dot]com

Other domains may have what looks like random gibberish, part of which may randomly include the magic "FBI" string:

085a5028qzt2f4gitwqlg7nvxvfbiw2m.ui.nabu[dot]casa
mbhcgjmmmpucoobparparoidgrchfbih[dot]cf
env5bad4680f0ab2-jyjbfbi-5hjvrechjbdrc.us-3.magentosite[dot]cloud
8yzwepmenhfbijnds6[dot]cn

So how can we find the "real" domains of concern that may be targeting the FBI? We can try using Flexible Search's regular expression features. We'll look for domains from the last 90 days that match one of the following patterns:

a) Let's try looking for domain names that start with FBI followed by a literal dot:

$ dnsdbflex --regex '^fbi\.' -A90d -l0 -j > fbi-start.txt
$ jq -r '.rrname' < fbi-start.txt | sort -u > fbi-start-2.txt
$ wc -l fbi-start-2.txt 
18231 fbi-start-2.txt

Those names include things that aren't very interesting/aren't likely meant to be misleading such as:

fbi.agilixbuzz[dot]com
fbi.agmfp.eu[dot]org
fbi.ags3.didiyunapi[dot]com

Let's look at names that consist of just fbi followed by a dot followed by one more label (e.g., a TLD):

$ grep -v '\..*\..*\.' fbi-start-2.txt | sed 's/.$//' | sed
's/\./\[dot\]/' > fbi-start-3.txt
211 fbi-start-3.txt

Those look like:

fbi[dot]academy
fbi[dot]actor
fbi[dot]ae
fbi[dot]africa
fbi[dot]ag
fbi[dot]agency
fbi[dot]ai
fbi[dot]airforce
fbi[dot]am
fbi[dot]archi
fbi[dot]asia
fbi[dot]associates
fbi[dot]at
fbi[dot]attorney
fbi[dot]bar
fbi[dot]be
fbi[dot]best
fbi[dot]bet
fbi[dot]bi
fbi[dot]bike
[etc]

If I were looking for intentional spoofing, I'd likely do a deep dive on all of the fbi. domains other than fbi.gov.

b) Domain names that include fbi followed by one of the other terms listed, excluding any names from the real fbi.gov domain:

$ dnsdbflex --regex  'fbi.*(agent|auth|bureau|crime|cyber|division|federal|fraud|gov|inspect|investigate|legal|official|police|unit|us|warning)' --exclude '\.fbi\.gov\.$'-A90d -l0 -j > fbi-at-beginning.txt
$ wc -l fbi-at-beginning.txt
73331 fbi-at-beginning.txt

Those 73.3K results will include both the name that was discovered AND the resource record type. Let's just keep unique RRnames:

$ jq -r '.rrname' < fbi-at-beginning.txt | sort -u > fbi-at-beginning-2.txt
$ wc -l fbi-at-beginning-2.txt 
70875 fbi-at-beginning-2.txt

That takes us down to nearly 71K unique domans. Many of these don't look like they're intentionally meant to be misleading, e.g.:

affbizmall.exclusifvoyages.fr.jiajiaoban[dot]com
akali-cfbilling.inspectieszw[dot]nl
assetsmsfbiz.users.citymaps[dot]com

We think you're now getting a sense of just WHY it can be so difficult to find potentially malicious "FBI" domain names – short patterns like "FBI" are prone to a LOT of overmatching.

IV. How About Searching For Something Longer/More Specific Patterns, Such As federalbureauofinvestigation

Let's try searching for something quite a bit more specific, such as federalbureauofinvestigation. It is unlikely that such a specific string would appear "accidentally:"

$ dnsdbflex --regex 'federalbureauofinvestigation' -A90d -l0 -j > federal-bureau-of-investigation.txt
$ jq -r '.rrname' < federal-bureau-of-investigation.txt | sort -u > federal-bureau-of-investigation-2.txt
$ wc -l federal-bureau-of-investigation-2.txt
49 federal-bureau-of-investigation-2.txt

I think I find ALL of the following to be interesting domains that might merit further review:

admin.federalbureauofinvestigation[dot]org
americanfederalbureauofinvestigation[dot]com
autodiscover.umeshheendeniyavsfederalbureauofinvestigation[dot]org
cpanel.umeshheendeniyavsfederalbureauofinvestigation[dot]org
cpcalendars.umeshheendeniyavsfederalbureauofinvestigation[dot]org
cpcontacts.umeshheendeniyavsfederalbureauofinvestigation[dot]org
fbi-federalbureauofinvestigation[dot]com
federalbureauofinvestigation-govt.abuse-copyrightbangladesh[dot]com
federalbureauofinvestigation-govt[dot]com
federalbureauofinvestigation.5nx[dot]ru
federalbureauofinvestigation[dot]co.uk
federalbureauofinvestigation[dot]com
federalbureauofinvestigation[dot]info
federalbureauofinvestigation.listbb[dot]ru
federalbureauofinvestigation[dot]net
federalbureauofinvestigation[dot]nl
federalbureauofinvestigation[dot]org
federalbureauofinvestigation[dot]tk
federalbureauofinvestigationfbi[dot]com
federalbureauofinvestigations.duckdns[dot]org
federalbureauofinvestigations[dot]org
federalbureauofinvestigations[dot]us
federalbureauofinvestigationus[dot]tk
mail.umeshheendeniyavsfederalbureauofinvestigation[dot]org
mail.usafederalbureauofinvestigation[dot]com
post.federalbureauofinvestigation[dot]org
thefederalbureauofinvestigations.cbtechnicalacademy[dot]com
thefederalbureauofinvestigations.flipkeyprod[dot]net
thefederalbureauofinvestigations.manywho[dot]com
thefederalbureauofinvestigations.sf.gamedealing.com[dot]com
theusfederalbureauofinvestigations.campaignmonitor[dot]com
theusfederalbureauofinvestigations.canary1-sg3.omega.yahoo[dot]com
theusfederalbureauofinvestigations.everad[dot]com
theusfederalbureauofinvestigations.flipky[dot]com
theusfederalbureauofinvestigations.gamedealing.com[dot]com
theusfederalbureauofinvestigations.gap[dot]ae
theusfederalbureauofinvestigations.manywho[dot]com
umeshheendeniyavsfederalbureauofinvestigation[dot]org
usafederalbureauofinvestigation[dot]com
webdisk.umeshheendeniyavsfederalbureauofinvestigation[dot]org
webmail.federalbureauofinvestigation[dot]info
webmail.umeshheendeniyavsfederalbureauofinvestigation[dot]org
www.federalbureauofinvestigation-govt.abuse-copyrightbangladesh[dot]com
www.federalbureauofinvestigation[dot]com
www.federalbureauofinvestigation[dot]info
www.federalbureauofinvestigation[dot]org
www.federalbureauofinvestigationfbi[dot]com
www.umeshheendeniyavsfederalbureauofinvestigation[dot]org
www.usafederalbureauofinvestigation[dot]com

V. This Is Not Just An "FBI Thing"

While this blog article was couched around the FBI, since they'd sent out an alert highlighting spoofing of their domains, they're not the only law enforcement agency whose name gets used in 3rd party domains. Remember, we're NOT saying that any of the following domains ARE or ARE NOT "legitimate" (or ARE or ARE NOT a "problem"):

$ dnsdbflex --regex 'interpol' -A90d -l0 -j | jq -r '.rrname' | 2nd-level-dom | sort -u | grep 'interpol' > interpol-domains.txt

Selected domains from that search include:

canadapoliceinterpol[dot]com
crime-interpol[dot]com
cyber-interpol[dot]com
cyber-interpol[dot]tk
cyber-service-interpol[dot]com
cyber-service-interpol[dot]net
cybercrimeinterpol[dot]com
cyberinterpol[dot]com
cyberinterpol[dot]org
dutch-interpol[dot]com
fedinterpoldept[dot]net
globalinterpol[dot]com
iinterpol-int[dot]net
iinterpol[dot]cf
iinterpol[dot]com
iinterpol[dot]ga
iinterpol[dot]gq
iniinterpol[dot]fr
interpol-de[dot]org
interpol-europe[dot]com
interpol-fbi[dot]online
interpol-france[dot]com
interpol-france[dot]fr
interpol-gov[dot]cn
interpol-gov[dot]com
interpol-govgh[dot]in
interpol-hamburg[dot]com
interpol-ihnovation-centre.github[dot]io
interpol-iinnovation-centre.github[dot]io
interpol-ijnnovation-centre.github[dot]io
interpol-ijnovation-centre.github[dot]io
interpol-iknnovation-centre.github[dot]io
interpol-imnnovation-centre.github[dot]io
interpol-imnovation-centre.github[dot]io
interpol-inbnovation-centre.github[dot]io
interpol-inbovation-centre.github[dot]io
interpol-inhnovation-centre.github[dot]io
interpol-inhovation-centre.github[dot]io
interpol-injnovation-centre.github[dot]io
interpol-injovation-centre.github[dot]io
interpol-inmnovation-centre.github[dot]io
interpol-inmovation-centre.github[dot]io
interpol-inn0ovation-centre.github[dot]io
interpol-inn0vation-centre.github[dot]io
interpol-inn9ovation-centre.github[dot]io
interpol-inn9vation-centre.github[dot]io
interpol-innavation-centre.github[dot]io
interpol-innbovation-centre.github[dot]io
interpol-innhovation-centre.github[dot]io
interpol-inniovation-centre.github[dot]io
interpol-innivation-centre.github[dot]io
interpol-innjovation-centre.github[dot]io
interpol-innkovation-centre.github[dot]io
interpol-innkvation-centre.github[dot]io
interpol-innlovation-centre.github[dot]io
interpol-int[dot]cf
interpol-int[dot]com
interpol-int[dot]ga
interpol-int[dot]tk
interpol-intl[dot]org
interpol-london[dot]info
interpol-lyon[dot]fr
interpol-nigeria[dot]com
interpol-police[dot]tk
interpol-se[dot]com
interpol-sg[dot]com
interpol-sk[dot]ru
interpol-spain[dot]site
interpol[dot]af
interpol[dot]ag
interpol[dot]am
interpol[dot]asia
interpol[dot]at
interpol[dot]be
interpol[dot]biz
interpol[dot]ca
interpol[dot]cc
interpol[dot]cd
interpol[dot]cf
[etc]
$ dnsdbflex --regex 'drugenforcementadministration' -A90d -l0 -j | jq -r '.rrname' | 2nd-level-dom | sort -u | grep drug
drugenforcementadministration.com
drugenforcementadministration.org
usdrugenforcementadministration.com
$ dnsdbflex --regex 'oregonstatepolice' -A90d -l0 -j | jq -r '.rrname' | sort -u | grep '^oregonstatepolice'
oregonstatepolice[dot]com.
oregonstatepolice.onmicrosoft.com.lookup.dkimwl[dot]org.
oregonstatepolice.sharepoint[dot]com.
oregonstatepolicedept.005.github[dot]com.
oregonstatepolicedept.1688[dot]com.
oregonstatepolicedept.24sessions[dot]com.
oregonstatepolicedept.88661[dot]online.
oregonstatepolicedept.8x8[dot]vc.
oregonstatepolicedept._domainkey.challonge[dot]com.
oregonstatepolicedept.acronis[dot]pl.
oregonstatepolicedept.adimg.github[dot]com.
oregonstatepolicedept.airblade.com[dot]tr.
oregonstatepolicedept.airblade[dot]lu.
$ dnsdbflex --regex 'losangelessheriff' -A90d -l0 -j | jq -r '.rrname' | 2nd-level-dom | sort -u | grep 'losangelessheriff'
losangelessheriff.com
losangelessheriffcustody.com
losangelessheriffdepartment.tk
losangelessheriffdept.xn--node
losangelessheriffsdepartment.com
losangelessheriffsdepartment.net
losangelessheriffsmuseum.com
losangelessheriffsupply.com

VI. Conclusion

We hope you've now developed a bit of a sense for how law enforcement agencies are sometimes targeted for online spoofing. When you know that this sort of activity is taking place, we hope you will be careful not to take what you see in an email message or on a web site at "face value."

Legitimate law enforcement officers should always be able to have their status verified by contacting the officer's agency at a number you've gotten from the phone book or via directory assistance. And if something feels wrong to you, consult an attorney for advice.

Appendix I. 2nd-level-dom
#!/usr/bin/perl
use strict;
use warnings;
use IO::Socket::SSL::PublicSuffix;

my $pslfile = '/usr/local/share/public_suffix_list.dat';
my $ps = IO::Socket::SSL::PublicSuffix->from_file($pslfile);

my $line;

foreach $line (<>) {
        chomp($line);
        my $root_domain = $ps->public_suffix($line,1);
        printf( "%s\n", $root_domain );
}

Joe St Sauver is a Distinguished Scientist and Director of Research with Farsight Security, Inc..

Bilin