The following bulletins were released in late May by the FBI to private industry partners and discuss attempts by malicious cyber actors to exploit government and private industry networks and employees, including their family members, using targeted campaigns involving false personas on various social media platforms. The bulletins were originally posted on the website of The Security Awareness Company.
|FBI Cyber Division Private Industry Notification||3 pages||May 29, 2014||Download|
|FBI Liaison Alert System #M-000031-PH||3 pages||May 29, 2014||Download|
(U) Law enforcement has become aware that foreign cyber adversaries are utilizing popular social network sites to assess, target and successfully conduct computer network exploitation activities against:
- US federal, state and local government and private academic and industry networks
- Individual employees of US federal, state and local government and private academic and industries
- Family members and personal and/or professional associates of these employees and private citizens with high visibility
- It is advised that industry use due diligence to inform and educate their associates on the vulnerabilities associated with the use of social networking sites.
(U) The FBI and NCIS believe a group of cyber actors have been using various social networking sites to conduct spear phishing activities since at least 2011. FBI and NCIS investigation to date has uncovered 56 unique Facebook personas, 16 domains, and a group of IP addresses associated with these actors. These personas typically would attempt to befriend specific types of individuals such as government, military, or cleared defense contractor personnel. After establishing an online friendship the actor would send a malicious link (usually through one of the associated domains) to the victim, either through e-mail or in a chat on the social networking site eventually compromising the target’s computer. While this FLASH specifically deals with Facebook personas, it is believed that many of these personas also maintain a presence on other social networking sites such as LinkedIn, Google +, and Twitter which are just as malicious. This group of cyber actors also has created and maintained multiple malicious Web sites, often spoofing a legitimate Web site and implanting malicious links into the actor’s version of the Web site.
(U) Based on investigative efforts, the FBI and NCIS believe the following names and Facebook User IDs (FBUID) are associated with fake personas and are involved in spear phishing activities on Facebook and additional social networking sites:
Berna Nani Achando FBUID 100003744333197 Brian Gibson
Elizabeth Anderson FBUID 100002725315556 Gina McCarron
Jane Baker (Ava T. Foster) FBUID 100007144985923 Jeann Maclkin
Josh Nilsson (Josh Furie) FBUID 100004516801118 Justin Snyder
Medhi Betterekoon FBUID 100002348575647 Mehdi Rastegar
Michelle Hagerman FBUID 100002420632572 Mina Kasayi
Domain IP address 4techspot.com 220.127.116.11 Accounts.google.com-login.mobi 18.104.22.168
Downloadcenter.mcafeea.com 22.214.171.124 Eyeleo.com-login.mobi 126.96.36.199 Flycenter.ir 188.8.131.52 Fun4us.us 184.108.40.206
Newsonair.org 220.127.116.11 Update.mcafeea.com 18.104.22.168
Updatexplore.com 22.214.171.124 Youtube.com-login.mobi 126.96.36.199
(U) The following IP addresses have also been identified as associated with these actors: