Application security, Malware, Network Security, Phishing

Redirect flaw on .gov sites leaves open door for phishers

At least 20,000 users have fallen victim to a spam campaign that uses shortened links to legitimate government sites to carry out a hoax.

In the scams, users receive emails containing “1.usa.gov” short links and are redirected twice upon clicking -- first, immediately past a legitimate government site, then, to websites that look like CNBC news articles touting “$4,000 a month” home-based business opportunities. 

Once at the fake CNBC site, victims are lured into clicking on links on the page that direct them to a home-based business site also owned by attackers.

Researchers at Dell SecureWorks Counter Threat Unit (CTU) dissected the campaign and have yet to see any cases of malware being on the hacker sites, though exploit kits could appear on the pages at any time.

Jeff Jarmoc, senior security researcher at CTU, told SCMagazine.com on Friday that to steal personal information, fraudsters count on victims filling out a form on the home-based business site.

“I haven't seen anything that asks for credit card information,” Jarmoc said. “All I've seen is [forms] asking for names, addresses, phone numbers and emails. They may be used to recruit money mules. I'm not entirely sure what they are after, but it seems to be direct financial fraud, or to get you to participate in some other scheme.”

While the campaign is relatively elementary, the tactic is troubling, as attackers are exploiting a vulnerability in legitimate government sites to redirect victims elsewhere, researchers said.

A Dell SecureWorks blog post published Wednesday by Jarmoc explained the flaw.

“By exploiting an open-redirect vulnerability in [an] .aspx file, the attacker can direct traffic to a non-.gov site under his control, while exposing only a 1.usa.gov short link in the initial [emailed] message,” the post said. Users never see the government site from which they are redirected, only the fake CNBC article laden with suspicious links.

Attackers have managed to work around a link-shortening safeguard introduced last year by usa.gov, which was meant to make it easier for users to distinguish trustworthy short URLs for U.S. government sites. 

In March 2011, USA.gov collaborated with URL-shortening service Bitly.com to provide "1.usa.gov" short links to users in place of long URLs for .gov or .mil domains.

Scammers have exploited open-redirect vulnerabilities in several government sites, including Vermont.gov, CA.gov and Guam.gov, and used the sites as portals to redirect users to their spurious pages.

The U.S. General Services Administration, which manages the usa.gov website, emailed a statement to SCMagazine.com on Friday that said the agency was aware of the redirect flaw being leveraged by fraudsters.

"GSA is aware of the issue and have worked closely with bit.ly, our partner, to quickly resolve the problem," the statement said. "GSA has removed the affected domains. In addition, we've contacted the web managers of the sites and we're working with them to assist in removing the vulnerability. We will continue to monitor the sites until the issue is resolved."

The statement said the issue had allowed GSA to "learn of some vulnerabilities on some government websites," which will help the administration to detect more bugs in the future.

This is not the first time spammers have taken advantage of the trust users place in shortened links.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.