News Stay informed about the latest enterprise technology news and product updates.

Spam campaign abuses flaw tricking thousands with shortened .gov URLs

Spammers have spoofed shortened URLs designed to validate redirects to several states including California, Iowa, Indiana and Vermont.

A vulnerable component in a content management system has enabled savvy cybercriminals behind a spam campaign to...

spoof .gov site URLs by abusing a short link designed to validate the authenticity of redirects to U.S. government websites.

Despite the best intentions, short links seem to be ineffective at ensuring the ultimate destinations of the URLs are trustworthy government websites.

Jeff Jarmoc, Dell SecureWorks

The click rate of the campaign has been significant, redirecting more than 16,000 victims over a five day period to a malicious website designed to look like a CNBC news article pushing several work from home scams. The phishers have abused several U.S. state government domains, including,, and and appear to have been abused the most so far this month, according to data collected by Dell SecureWorks.

Email spam has been the primary method for distributing the short links, wrote Jeff Jarmoc of Dell SecureWorks' Counter Threat Unit.

"While it seems the perpetrators are not targeting .gov sites specifically and are not using the government as a lure, the ability to generate short .gov links that lead users to malicious domains is concerning," Jarmoc wrote in an advisory about the phishing scam issued on Wednesday. "If combined with a government-focused message, such as the common tax season phishing emails , this spam could lure even savvy users."

Many of the links in the ongoing spam campaign abuse short URLs, according to Dell SecureWorks. The short URL service is run by the U.S. government, in partnership with It was designed to enable users to submit a long URL to bitly that resides on a .gov or .mil top-level domain. The goal of the service is to make it easier to verify the authenticity of a U.S. government site in a shortened URL.  

"Despite the best intentions, short links seem to be ineffective at ensuring the ultimate destinations of the URLs are trustworthy government websites," Jarmoc wrote.

Dell traced the IP destination of the malicious servers used in the attack to hosting services in Moscow and InMotion Hosting Inc., based in Los Angeles.

Phishers exploit open redirect flaw

The cybercriminals hunt for servers with a vulnerable version of DotNetNukes LinkClick.aspx, software designed to give website developers the ability to configure a set of custom re-direct rules.

"By exploiting an open-redirect vulnerability in this .aspx file, the attacker can direct traffic to a site under his control, while exposing only a short link in the initial message," Jarmoc wrote.

An open-redirect vulnerability is a common coding error in Web applications that simplifies phishing attacks by bypassing protection mechanisms. Attackers can set up spoofed pages and more easily dupe people into giving up account credentials or infect their system with malware.

Dig Deeper on Email and Messaging Threats-Information Security Threats

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.