These Days Some Of The Bad Guys Are Even Spoofing FBI-Related Domain Names...
“You don’t tug on Superman’s cape
You don’t spit into the wind
You don’t pull the mask off that old Lone Ranger
And you don’t mess around with Jim…”
“You Don’t Mess Around With Jim”— Jim Croce
I. Introduction
Farsight has previously discussed the problem of spoofed domains in its blogs, see for example:
Unfortunately, spoofed domains remain an everyday occurrence, an ugly reality for
- Banks
- Payment card companies, or
- Brand owners targeted by “knock off” merchandise-sellers.
Yet brands are not the only victims of this type of attack. Federal law enforcement agencies have also been targets. For some people, this is difficult to understand because:
- Most Americans want to help the good guys win.
- Most of us have been trained since birth to comply with police officers, particularly Federal agents. If a Federal agent makes a demand, most people will instinctively comply.
- Many Americans believe the FBI only investigates the most serious of crimes, which further adds to the perceived gravity of an investigation allegedly involving an FBI agent.
- And so on.
The result is that the spectre of interacting with “the FBI” is potent — when the Federal Bureau of Investigation (or someone claiming to the be the FBI) speaks, most of us will listen and then obey. That’s exactly the response bad guys want. And that may be one reason why the bad guys have begun to spoof FBI-related domain names.
For example, yesterday the FBI released Public Service Announcement I-112320-PSA “Spoofed FBI Internet Domains Pose Cyber and Disinformation Risks.
That report lists over 90 domains attempting to spoof the FBI, and notes “This list is not comprehensive but demonstrates the range of spoofed domains that exist.”
There are indeed many other likely-spoofed FBI domains, as we’ll show later in this blog article.
Targeting the nation’s premier law enforcement agency seems like a pretty bold and foolhardy choice to us. It likely reflects an unwarranted sense of invulnerability on the bad guys part: “I can spoof whomever I want, and no one, not even the FBI, can stop me.” Maybe, but we doubt that’s true. As the Jim Croce song goes, “You don’t mess around with Jim,” to which I’d add “And you really don’t want to mess around with the FBI.”
So why this article? Well, we have several motivations:
- We want to echo the FBI’s warning — spoofed domains ARE an ongoing problem on the Internet, and every end-user needs to be very careful to avoid mistakenly trusting easily-misread (or intentionally misleading) domains.
- We want to show you how to get a list of domains that contain “FBI”, as seen by Farsight’s new DNSDB Flexible Search service.
- We want to explain why the FBI can’t simply block or seize all domains that contain the string “FBI”.
II. How Can This Have Even Have Become A Problem?
Let’s begin by explaining why sites such as the FBI run into problems with spoofed domains. The reasons are numerous, including:
- Domains are cheap and easy to register, and can be used as soon as the domain is registered, no waiting period required. On the other hand, even when pushing really hard, it can take defenders hours or even days to get an evil new domain taken down.
- Whois privacy and proxy services, as well as wholesale (and over-applied!) GDPR redactions reduce the usability of Whois, and complicate attribution and accountability when domain name abuse occurs.
- Email clients and web browsers often try to “help” make the Internet “more friendly” by concealing actual network email addresses and website URLs, showing just “formatted email names” or “formatted web site names.” When this happens, if you see something that sounds or feels wrong to you, you may need to inspect the raw source code for a message or web page to see what’s REALLY going on.
- Everyone’s just so dang busy!
III. Quantitatively, Just How Bad Is The “FBI” Domain Spoofing Problem?
The FBI PSA mentioned 92 domains in their alert, but Farsight DNSDB customers who use Farsight’s new Flexible Search can get a more comprehensive view of the domains that may be spoofing “FBI”.
Let me show you using dnsdflex, Farsight’s new commandline Flexible Search client.
To keep this manageable and relatively current, we’ll limit our search to just domains seen during the last 90 days. Our initial run will return up to a million unique fully qualified domain names (FQDNs). Because some FQDNs may actually return multiple record types, in this case we actually ended up with OVER a million results returned.
$ dnsdbflex --regex fbi -A90d -l0 -j > fbi-domains.txt $ wc -l fbi-domains.txt 1039751 fbi-domains.txt
Because there appear to be potentially more than a million results, we’ll ask for a second followup tranche of results, offset by a million results from our initial results:
$ dnsdbflex --regex fbi -A90d -l0 -j -O 1000000 >> fbi-domains.txt $ wc -l fbi-domains.txt 1312221 fbi-domains.txt
We’ll then extract just the RRnames from each record, and check to see how many unique ones we’ve found:
$ jq -r '.rrname' < fbi-domains.txt | sort -u > fbi-domains-2.txt $ wc -l fbi-domains-2.txt 1237271 fbi-domains-2.txt
So now we see is that there are nearly 1.24 million unique domains that include “FBI” somewhere in the FQDN. Are these domain names ALL malicious, or at least suspicious?
First of all, remember that Farsight DOESN’T call good or bad. YOU need to decide if a given domain is suspicious or bad.
Secondly, many domains may only “coincidentally” have “FBI” as part of the FQDN — the shorter the string you’re matching, the greater the probability that you’ll see essentially-irrelevant random matches.
As a first pass, let’s trim the hostname part of the names we’ve discovered (the 2nd-level-dom script we’re using to trim the names is available in Appendix I):
$ 2nd-level-dom < fbi-domains-2.txt | sort -u > fbi-domains-3.txt $ wc -l fbi-domains-3.txt 57752 fbi-domains-3.txt
So from the above, we can see that after removing the hostname part, we have nearly 58,000 unique domains. Some of those domains may no longer mention “FBI” at all, however, if “FBI” was only in the hostname part. Let’s check to see how many still “qualify” for further scrutiny:
$ grep fbi fbi-domains-3.txt > fbi-domains-4.txt $ wc -l fbi-domains-4.txt 32621 fbi-domains-4.txt
Once we’ve dropped the hostname part, “only” 32,621 of the effective 2nd-level domains have the string “FBI”.
Many of those domains may NOT be intentionally spoofing the FBI. Sometimes the “FBI” string will just appear coincidentally in a name. For example:
typesofbikes[dot]com veincenterofbirmingham[dot]com wolfbitefiberworks[dot]com
Other domains may have what looks like random gibberish, part of which may randomly include the magic “FBI” string:
085a5028qzt2f4gitwqlg7nvxvfbiw2m.ui.nabu[dot]casa mbhcgjmmmpucoobparparoidgrchfbih[dot]cf env5bad4680f0ab2-jyjbfbi-5hjvrechjbdrc.us-3.magentosite[dot]cloud 8yzwepmenhfbijnds6[dot]cn
So how can we find the “real” domains of concern that may be targeting the FBI? We can try using Flexible Search’s regular expression features. We’ll look for domains from the last 90 days that match one of the following patterns:
a) Let’s try looking for domain names that start with FBI followed by a literal dot:
$ dnsdbflex --regex '^fbi\.' -A90d -l0 -j > fbi-start.txt
$ jq -r '.rrname' < fbi-start.txt | sort -u > fbi-start-2.txt
$ wc -l fbi-start-2.txt
18231 fbi-start-2.txt
Those names include things that aren’t very interesting/aren’t likely meant to be misleading such as:
fbi.agilixbuzz[dot]com fbi.agmfp.eu[dot]org fbi.ags3.didiyunapi[dot]com
Let’s look at names that consist of just fbi followed by a dot followed by one more label (e.g., a TLD):
$ grep -v '\..*\..*\.' fbi-start-2.txt | sed 's/.$//' | sed 's/\./\[dot\]/' > fbi-start-3.txt 211 fbi-start-3.txt
Those look like:
fbi[dot]academy fbi[dot]actor fbi[dot]ae fbi[dot]africa fbi[dot]ag fbi[dot]agency fbi[dot]ai fbi[dot]airforce fbi[dot]am fbi[dot]archi fbi[dot]asia fbi[dot]associates fbi[dot]at fbi[dot]attorney fbi[dot]bar fbi[dot]be fbi[dot]best fbi[dot]bet fbi[dot]bi fbi[dot]bike [etc]
If I were looking for intentional spoofing, I’d likely do a deep dive on all of the fbi. domains other than fbi.gov.
b) Domain names that include fbi followed by one of the other terms listed, excluding any names from the real fbi.gov domain:
$ dnsdbflex --regex 'fbi.*(agent|auth|bureau|crime|cyber|division|federal|fraud|gov|inspect|investigate|legal|official|police|unit|us|warning)' --exclude '\.fbi\.gov\.$'-A90d -l0 -j > fbi-at-beginning.txt
$ wc -l fbi-at-beginning.txt
73331 fbi-at-beginning.txt
Those 73.3K results will include both the name that was discovered AND the resource record type. Let’s just keep unique RRnames:
$ jq -r '.rrname' < fbi-at-beginning.txt | sort -u > fbi-at-beginning-2.txt $ wc -l fbi-at-beginning-2.txt 70875 fbi-at-beginning-2.txt
That takes us down to nearly 71K unique domans. Many of these don’t look like they’re intentionally meant to be misleading, e.g.:
affbizmall.exclusifvoyages.fr.jiajiaoban[dot]com akali-cfbilling.inspectieszw[dot]nl assetsmsfbiz.users.citymaps[dot]com
We think you’re now getting a sense of just WHY it can be so difficult to find potentially malicious “FBI” domain names — short patterns like “FBI” are prone to a LOT of overmatching.
IV. How About Searching For Something Longer/More Specific Patterns, Such As federalbureauofinvestigation
Let’s try searching for something quite a bit more specific, such as federalbureauofinvestigation. It is unlikely that such a specific string would appear “accidentally:”
$ dnsdbflex --regex 'federalbureauofinvestigation' -A90d -l0 -j > federal-bureau-of-investigation.txt
$ jq -r '.rrname' < federal-bureau-of-investigation.txt | sort -u > federal-bureau-of-investigation-2.txt
$ wc -l federal-bureau-of-investigation-2.txt 49 federal-bureau-of-investigation-2.txt
I think I find ALL of the following to be interesting domains that might merit further review:
admin.federalbureauofinvestigation[dot]org americanfederalbureauofinvestigation[dot]com autodiscover.umeshheendeniyavsfederalbureauofinvestigation[dot]org cpanel.umeshheendeniyavsfederalbureauofinvestigation[dot]org cpcalendars.umeshheendeniyavsfederalbureauofinvestigation[dot]org cpcontacts.umeshheendeniyavsfederalbureauofinvestigation[dot]org fbi-federalbureauofinvestigation[dot]com federalbureauofinvestigation-govt.abuse-copyrightbangladesh[dot]com federalbureauofinvestigation-govt[dot]com federalbureauofinvestigation.5nx[dot]ru federalbureauofinvestigation[dot]co.uk federalbureauofinvestigation[dot]com federalbureauofinvestigation[dot]info federalbureauofinvestigation.listbb[dot]ru federalbureauofinvestigation[dot]net federalbureauofinvestigation[dot]nl federalbureauofinvestigation[dot]org federalbureauofinvestigation[dot]tk federalbureauofinvestigationfbi[dot]com federalbureauofinvestigations.duckdns[dot]org federalbureauofinvestigations[dot]org federalbureauofinvestigations[dot]us federalbureauofinvestigationus[dot]tk mail.umeshheendeniyavsfederalbureauofinvestigation[dot]org mail.usafederalbureauofinvestigation[dot]com post.federalbureauofinvestigation[dot]org thefederalbureauofinvestigations.cbtechnicalacademy[dot]com thefederalbureauofinvestigations.flipkeyprod[dot]net thefederalbureauofinvestigations.manywho[dot]com thefederalbureauofinvestigations.sf.gamedealing.com[dot]com theusfederalbureauofinvestigations.campaignmonitor[dot]com theusfederalbureauofinvestigations.canary1-sg3.omega.yahoo[dot]com theusfederalbureauofinvestigations.everad[dot]com theusfederalbureauofinvestigations.flipky[dot]com theusfederalbureauofinvestigations.gamedealing.com[dot]com theusfederalbureauofinvestigations.gap[dot]ae theusfederalbureauofinvestigations.manywho[dot]com umeshheendeniyavsfederalbureauofinvestigation[dot]org usafederalbureauofinvestigation[dot]com webdisk.umeshheendeniyavsfederalbureauofinvestigation[dot]org webmail.federalbureauofinvestigation[dot]info webmail.umeshheendeniyavsfederalbureauofinvestigation[dot]org www.federalbureauofinvestigation-govt.abuse-copyrightbangladesh[dot]com www.federalbureauofinvestigation[dot]com www.federalbureauofinvestigation[dot]info www.federalbureauofinvestigation[dot]org www.federalbureauofinvestigationfbi[dot]com www.umeshheendeniyavsfederalbureauofinvestigation[dot]org www.usafederalbureauofinvestigation[dot]com
V. This Is Not Just An “FBI Thing”
While this blog article was couched around the FBI, since they’d sent out an alert highlighting spoofing of their domains, they’re not the only law enforcement agency whose name gets used in 3rd party domains. Remember, we’re NOT saying that any of the following domains ARE or ARE NOT “legitimate” (or ARE or ARE NOT a “problem”):
$ dnsdbflex --regex 'interpol' -A90d -l0 -j | jq -r '.rrname' | 2nd-level-dom | sort -u | grep 'interpol' > interpol-domains.txt
Selected domains from that search include:
canadapoliceinterpol[dot]com crime-interpol[dot]com cyber-interpol[dot]com cyber-interpol[dot]tk cyber-service-interpol[dot]com cyber-service-interpol[dot]net cybercrimeinterpol[dot]com cyberinterpol[dot]com cyberinterpol[dot]org dutch-interpol[dot]com fedinterpoldept[dot]net globalinterpol[dot]com iinterpol-int[dot]net iinterpol[dot]cf iinterpol[dot]com iinterpol[dot]ga iinterpol[dot]gq iniinterpol[dot]fr interpol-de[dot]org interpol-europe[dot]com interpol-fbi[dot]online interpol-france[dot]com interpol-france[dot]fr interpol-gov[dot]cn interpol-gov[dot]com interpol-govgh[dot]in interpol-hamburg[dot]com interpol-ihnovation-centre.github[dot]io interpol-iinnovation-centre.github[dot]io interpol-ijnnovation-centre.github[dot]io interpol-ijnovation-centre.github[dot]io interpol-iknnovation-centre.github[dot]io interpol-imnnovation-centre.github[dot]io interpol-imnovation-centre.github[dot]io interpol-inbnovation-centre.github[dot]io interpol-inbovation-centre.github[dot]io interpol-inhnovation-centre.github[dot]io interpol-inhovation-centre.github[dot]io interpol-injnovation-centre.github[dot]io interpol-injovation-centre.github[dot]io interpol-inmnovation-centre.github[dot]io interpol-inmovation-centre.github[dot]io interpol-inn0ovation-centre.github[dot]io interpol-inn0vation-centre.github[dot]io interpol-inn9ovation-centre.github[dot]io interpol-inn9vation-centre.github[dot]io interpol-innavation-centre.github[dot]io interpol-innbovation-centre.github[dot]io interpol-innhovation-centre.github[dot]io interpol-inniovation-centre.github[dot]io interpol-innivation-centre.github[dot]io interpol-innjovation-centre.github[dot]io interpol-innkovation-centre.github[dot]io interpol-innkvation-centre.github[dot]io interpol-innlovation-centre.github[dot]io interpol-int[dot]cf interpol-int[dot]com interpol-int[dot]ga interpol-int[dot]tk interpol-intl[dot]org interpol-london[dot]info interpol-lyon[dot]fr interpol-nigeria[dot]com interpol-police[dot]tk interpol-se[dot]com interpol-sg[dot]com interpol-sk[dot]ru interpol-spain[dot]site interpol[dot]af interpol[dot]ag interpol[dot]am interpol[dot]asia interpol[dot]at interpol[dot]be interpol[dot]biz interpol[dot]ca interpol[dot]cc interpol[dot]cd interpol[dot]cf [etc]
$ dnsdbflex --regex 'drugenforcementadministration' -A90d -l0 -j | jq -r '.rrname' | 2nd-level-dom | sort -u | grep drug drugenforcementadministration.com drugenforcementadministration.org usdrugenforcementadministration.com
$ dnsdbflex --regex 'oregonstatepolice' -A90d -l0 -j | jq -r '.rrname' | sort -u | grep '^oregonstatepolice' oregonstatepolice[dot]com. oregonstatepolice.onmicrosoft.com.lookup.dkimwl[dot]org. oregonstatepolice.sharepoint[dot]com. oregonstatepolicedept.005.github[dot]com. oregonstatepolicedept.1688[dot]com. oregonstatepolicedept.24sessions[dot]com. oregonstatepolicedept.88661[dot]online. oregonstatepolicedept.8x8[dot]vc. oregonstatepolicedept._domainkey.challonge[dot]com. oregonstatepolicedept.acronis[dot]pl. oregonstatepolicedept.adimg.github[dot]com. oregonstatepolicedept.airblade.com[dot]tr. oregonstatepolicedept.airblade[dot]lu.
$ dnsdbflex --regex 'losangelessheriff' -A90d -l0 -j | jq -r '.rrname' | 2nd-level-dom | sort -u | grep 'losangelessheriff' losangelessheriff.com losangelessheriffcustody.com losangelessheriffdepartment.tk losangelessheriffdept.xn--node losangelessheriffsdepartment.com losangelessheriffsdepartment.net losangelessheriffsmuseum.com losangelessheriffsupply.com
VI. Conclusion
We hope you’ve now developed a bit of a sense for how law enforcement agencies are sometimes targeted for online spoofing. When you know that this sort of activity is taking place, we hope you will be careful not to take what you see in an email message or on a web site at “face value.”
Legitimate law enforcement officers should always be able to have their status verified by contacting the officer’s agency at a number you’ve gotten from the phone book or via directory assistance. And if something feels wrong to you, consult an attorney for advice.
Appendix I. 2nd-level-dom
#!/usr/bin/perl
use strict;
use warnings;
use IO::Socket::SSL::PublicSuffix;
my $pslfile = '/usr/local/share/public_suffix_list.dat';
my $ps = IO::Socket::SSL::PublicSuffix->from_file($pslfile);
my $line;
foreach $line (<>) {
chomp($line);
my $root_domain = $ps->public_suffix($line,1);
printf( "%s\n", $root_domain );
}
Joe St Sauver is a Distinguished Scientist and Director of Research with Farsight Security, Inc..
