Threat Research

The Fake Bureau of Investigation: How Cybercriminals Are Impersonating Government Pages

Varonis
The Fake Bureau of Investigation: How Cybercriminals Are Impersonating Government Pages

Bad actors are using AI, vibe coding tools, SEO poisoning, and malvertising to spin up near‑perfect clones of the FBI’s IC3 site and other spoofed pages, tricking users into submitting sensitive reports and PII. Security teams are urged to combine domain/link analysis, computer vision, phishing sandboxes, and advanced browser protections to detect and block these fast‑moving phishing sites. #IC3 #FBI

Keypoints

  • Attackers are rapidly creating fraudulent websites impersonating the FBI Internet Crime Complaint Center (IC3) to harvest PII and complaint data.
  • Researchers and vendors (BleepingComputer, Varonis) have identified dozens of fake IC3 domains such as icc3[.]live, practicinglawyer[.]net, and ic3a[.]com.
  • Fraudulent sites often closely replicate the real IC3 site’s layout and warnings, increasing the likelihood victims will trust and use them.
  • Threat actors leverage SEO poisoning and malvertising to place spoofed sites or sponsored links high in search results, exploiting users who click top results.
  • Many phishing pages are hosted on legitimate platforms (e.g., adobe[.]com, canva[.]com, dropbox[.]com), making legacy protections less effective.
  • Traditional defenses (URL filtering, secure web gateways, legacy malware tools, browser isolation) are struggling to keep pace with AI‑driven, rapidly generated web threats.
  • Recommended defenses include AI/ML-driven domain and link analysis, computer vision for visual similarity detection, phishing sandboxes to traverse obfuscation, and advanced browser extensions.

MITRE Techniques

  • [T1598] Phishing – Attackers create deceptive websites mimicking IC3 and use SEO poisoning/malvertising to lure victims: “…sponsored resource that appears to be safe…attackers use the FBI logo as the favicon”
  • [T1583] Acquire Infrastructure – Adversaries register look‑alike domains containing ‘FBI’, ‘IC3’, or ‘report’ to host fraudulent reporting forms: “…examples of websites staged as fake FBI reporting sites included ‘icc3[.]live’, ‘practicinglawyer[.]net’, and ‘ic3a[.]com’”
  • [T1402] Masquerading – Sites impersonate the legitimate IC3 site by replicating layout, logos, and warning notices to appear authentic: “…near‑exact replicas of IC3’s site, including warning notices about ‘Scammers are impersonating the IC3′”
  • [T1566] Phishing via Search Engines (SEO poisoning) – Use of paid search ads and SEO manipulation to surface malicious sponsored links at top of search results: “SEO poisoning or SEO phishing…where attack groups use the same engines marketers leverage to purchase paid search ad space.”
  • [T1204] User Execution – Relying on users to click search results or sponsored links and submit forms containing PII: “…users don’t often check for signs of impersonated sites…users likely have [clicked sponsored links]”
  • [T1557] Adversary-in-the-Middle (use of legitimate hosting) – Hosting malicious pages on trusted platforms to bypass controls and appear legitimate: “hosted on legitimate infrastructure like adobe[.]com, canva[.]com, dropbox[.]com…”

Indicators of Compromise

  • [Domain ] Fake IC3 domains used to impersonate the FBI IC3 – icc3[.]live, ic3a[.]com, and dozens more such as ic3-gov.com, ic3gov.org
  • [Domain ] Additional spoof domains and variations – fbi-ic3.com, ic3helpdesk.com (list includes ~30 total domains observed)
  • [Hosting / Platform ] Legitimate hosting platforms abused to serve phishing pages – examples include adobe[.]com and canva[.]com used to host malicious content

Read more: https://www.varonis.com/blog/fbi-phishing-website