The agency states that “unattributed cyber actors” are registering domains designed to spoof legitimate websites pertaining to the FBI, “indicating the potential for future operational activity.” In addition to spoofed domains, state-sponsored actors and cybercriminals are leveraging spoofed email accounts to trick unsuspecting victims into revealing sensitive, personal information.
To ensure the success of their attempts, the threat actors create domains that feature slightly modified characteristics of legitimate domains. These spoofed domains may contain the alternate spelling of a word in their name or use an alternative top-level domain. Due to these subtle alterations, unsuspecting victims may be tricked into visiting the spoofed domains when looking for information on the FBI’s mission and services, or news coverage. Furthermore, spoofed email accounts may be used to entice individuals into opening malicious files or clicking on links.
What to do?
Always check the spelling of websites and email addresses, to ensure that their operating systems and applications are always kept updated, and to use anti-malware software that is kept up to date
Never enable macros on documents that were received via email unless absolutely necessary and only after the file was scanned with an anti-virus application, and to refrain from opening emails or attachments from unknown individuals.
Personal information should never be provided over email, strong two-factor authentication should be enforced whenever possible, and domain whitelisting should be employed to only allow traffic to websites considered safe.
Disable or remove software that is no longer used or needed, as well as to verify that the visited websites have an SSL certificate (although threat actors are also known to employ encryption to increase the legitimacy of their websites).
What can you do to when this happens to you?
If you think your network security has been breached shut the network down and identify any malware/viruses / or data exfiltration. Mitigate the breach and notify affected users/organizations. Reinstate the network using a known “clean” backup.