News

Spam campaign abuses flaw tricking thousands with shortened .gov URLs

Robert Westervelt, News Director

A vulnerable component in a content management system has enabled savvy cybercriminals behind a spam campaign to spoof .gov site URLs by abusing a short link designed to validate the authenticity of redirects to U.S. government websites.

    Requires Free Membership to View

Despite the best intentions, 1.usa.gov short links seem to be ineffective at ensuring the ultimate destinations of the URLs are trustworthy government websites.

Jeff Jarmoc, Dell SecureWorks

The click rate of the campaign has been significant, redirecting more than 16,000 victims over a five day period to a malicious website designed to look like a CNBC news article pushing several work from home scams. The phishers have abused several U.S. state government domains, including Vermont.gov, Iowa.gov, Indiana.gov and ca.gov. Guam.gov and Vermont.gov appear to have been abused the most so far this month, according to data collected by Dell SecureWorks.

Email spam has been the primary method for distributing the short links, wrote Jeff Jarmoc of Dell SecureWorks' Counter Threat Unit.

"While it seems the perpetrators are not targeting .gov sites specifically and are not using the government as a lure, the ability to generate short .gov links that lead users to malicious domains is concerning," Jarmoc wrote in an advisory about the phishing scam issued on Wednesday. "If combined with a government-focused message, such as the common tax season phishing emails , this spam could lure even savvy users."

Many of the links in the ongoing spam campaign abuse 1.usa.gov short URLs, according to Dell SecureWorks. The 1.usa.gov short URL service is run by the U.S. government, in partnership with bitly.com. It was designed to enable users to submit a long URL to bitly that resides on a .gov or .mil top-level domain. The goal of the service is to make it easier to verify the authenticity of a U.S. government site in a shortened URL.  

"Despite the best intentions, 1.usa.gov short links seem to be ineffective at ensuring the ultimate destinations of the URLs are trustworthy government websites," Jarmoc wrote.

Dell traced the IP destination of the malicious servers used in the attack to hosting services in Moscow and InMotion Hosting Inc., based in Los Angeles.

Phishers exploit open redirect flaw

The cybercriminals hunt for servers with a vulnerable version of DotNetNukes LinkClick.aspx, software designed to give website developers the ability to configure a set of custom re-direct rules.

"By exploiting an open-redirect vulnerability in this .aspx file, the attacker can direct traffic to a non-.gov site under his control, while exposing only a 1.usa.gov short link in the initial message," Jarmoc wrote.

An open-redirect vulnerability is a common coding error in Web applications that simplifies phishing attacks by bypassing protection mechanisms. Attackers can set up spoofed pages and more easily dupe people into giving up account credentials or infect their system with malware.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: