FBI warns InfraGard members of ‘malicious’ copycat website
The FBI has warned members of its InfraGard program that a website is mimicking its genuine Infragard.org property, requesting login credentials for the bureau’s information sharing platform.
“Please be aware www.InfraGard.com is not associated with the InfraGard Program. This site is maliciously collecting information that is entered. You are strongly advised not to visit this site or enter any personal/account information,” an alert sent Friday to InfraGard members reads.
The FBI’s threat sharing website has been domain squatted pic.twitter.com/7bVSmPzNIW
— Sean Cassidy (@sean_a_cassidy) March 25, 2017
When it was still up and running, the InfraGard.com website offered duplicate forms for new applicants to input sensitive information, including social security numbers. If a user tried logging into the fake site, it would redirect them to the real site’s error page.
InfraGard.com was most recently taken down on March 24.
The fake site (left) looks pretty close to the real site (right). Easily will fool users. pic.twitter.com/7n6Vw7fqxt
— Sean Cassidy (@sean_a_cassidy) March 25, 2017
“It does not look like the FBI owned the .com domain immediately previous to the malicious website going up,” said DefenseStorm co-founder Sean Cassidy, who confirmed to CyberScoop that he had received the emailed warning from InfraGard last week.
According to ICANN website registry information, InfraGard.com was originally established in 2002. The website’s registration appears to have expired in 2013 and was then reclaimed later that year.
FBI spokesperson Matthew Bertron told CyberScoop that the Bureau had no “additional information to provide at this time” regarding the incident besides confirming that a warning email was sent to members.
Questions regarding the suspicious, cloned website were sent to an email address that was originally used to register the InfraGard.com domain. An individual who identified as Bryan Nettles responded to CyberScoop’s inquiry.
Nettles said that an unnamed business partner had grabbed HTML code from InfraGard.org and applied it to their own similarly named web property to “attract some random links.”
“It’s just a clone of the .org [InfraGard] page, with all requests forwarding to the .org,” Nettles wrote in one email, “[It] never had any code of any kind to capture any requests.”
Nettles declined to provide contact information for the business partner. He described the associate as an “indian SEO guy” that “doesn’t speak great english.”
“I think my partner used a scraper tool to make a flat .html copy of the .org. [It] never had any code. None of us are coders so we wouldn’t know how,” Nettles wrote in one email.
“[InfraGard.com] had been de-indexed by Google and he just wanted a placeholder that might attract some random links,” Nettles said, “often times Google will bring the site back into their index and it will have some value. So, the indian (search engine optimization) guy I work with sometimes will copy the old existing site and let it sit. During the interim, some people might link to the de-indexed site and help it’s [sic] SEO value.”
Archived webpage shows that an older version of InfraGard.com hosted marketing material for diet plans and vitamins.
The .com property was taken down on Friday shortly after it experienced “exceeded bandwidth,” according to Nettles.
“I just assumed it was a DDoS attack or something cause a ton of traffic brought it down and went over bandwidth quota — mostly from one IP,” Nettles said, “when I noticed that, I decided to just delete that account entirely.”
Founded in 1996, InfraGard is a non-profit organization that serves as a platform for cyber threat intelligence sharing between the FBI, private companies, academics and other non-governmental organizations. Access to InfraGard allows users to access and provide information concerning cybersecurity, counterintelligence and counterterrorism threats. More than 50,000 individuals have access to the InfraGard platform.