A vulnerable component in a content management system has enabled savvy cybercriminals behind a spam campaign to spoof .gov site URLs by abusing a short link designed to validate the authenticity of redirects to U.S. government websites.
Despite the best intentions, 1.usa.gov short links seem to be ineffective at ensuring the ultimate destinations of the URLs are trustworthy government websites.
Jeff Jarmoc, Dell SecureWorks
The click rate of the campaign has been significant, redirecting more than 16,000 victims over a five day period to a malicious website designed to look like a CNBC news article pushing several work from home scams. The phishers have abused several U.S. state government domains, including Vermont.gov, Iowa.gov, Indiana.gov and ca.gov. Guam.gov and Vermont.gov appear to have been abused the most so far this month, according to data collected by Dell SecureWorks.
Email spam has been the primary method for distributing the short links, wrote Jeff Jarmoc of Dell SecureWorks' Counter Threat Unit.
"While it seems the perpetrators are not targeting .gov sites specifically and are not using the government as a lure, the ability to generate short .gov links that lead users to malicious domains is concerning," Jarmoc wrote in an advisory about the phishing scam issued on Wednesday. "If combined with a government-focused message, such as the common tax season phishing emails , this spam could lure even savvy users."
Many of the links in the ongoing spam campaign abuse 1.usa.gov short URLs, according to Dell SecureWorks. The 1.usa.gov short URL service is run by the U.S. government, in partnership with bitly.com. It was designed to enable users to submit a long URL to bitly that resides on a .gov or .mil top-level domain. The goal of the service is to make it easier to verify the authenticity of a U.S. government site in a shortened URL.
"Despite the best intentions, 1.usa.gov short links seem to be ineffective at ensuring the ultimate destinations of the URLs are trustworthy government websites," Jarmoc wrote.
Dell traced the IP destination of the malicious servers used in the attack to hosting services in Moscow and InMotion Hosting Inc., based in Los Angeles.
Phishers exploit open redirect flaw
The cybercriminals hunt for servers with a vulnerable version of DotNetNukes LinkClick.aspx, software designed to give website developers the ability to configure a set of custom re-direct rules.
"By exploiting an open-redirect vulnerability in this .aspx file, the attacker can direct traffic to a non-.gov site under his control, while exposing only a 1.usa.gov short link in the initial message," Jarmoc wrote.
An open-redirect vulnerability is a common coding error in Web applications that simplifies phishing attacks by bypassing protection mechanisms. Attackers can set up spoofed pages and more easily dupe people into giving up account credentials or infect their system with malware.