Spammers have recently taken advantage of an open-redirect vulnerability to phish users and trick them into clicking through links that appear to be coming from government (.gov) URLs.
The scam relies on a malformed series of URLs that appear to be coming from 1.USA.gov, a collaboration between USA.gov and Bitly, the URL shortening service. The service intends to make it so it’s clearer to users that certain links are coming from a legitimate .gov domain. While some are using the shortened link service for good, researchers at Symantec and Dell have discovered that scammers have found a way to use the 1.USA.gov addresses to redirect to users their own malicious sites.
Instead of being directed to a government site, when clicking on these links, users are forwarded to a site that looks like a financial news website. According to Dell, portions of the site’s HTML are lifted directly from CNBC.com. While the site seems genuine at first, users will later notice the article is actually a work-from-home advertisement where all of the links lead to the spammers’ payload.
According to a post on Dell’s Secureworks blog last week, the company’s research team the Counter Threat Unit (CTU) seems to think that the open-direct vulnerability these links are exploiting comes from servers that are vulnerable to a file, DotNetNuke’s LinkClick.aspx. It’s through this flawed file that attackers are able to send unsuspecting users to sites of their choosing.
While Secureworks has tracked these open redirects and noticed them increasing gradually since October 1, it wasn’t until early last week, between October 12 and 16, that clickthroughs hit their stride. According to Symantec, on October 18, spam clicks made up 15.1 percent of 1.USA.gov’s URLs while an article from SC Magazine today suggests that upwards to 20,000 users have been duped by the bogus .gov links so far.
According to both firms, the scams are being hosted on sites with suspicious names like consumeroption.net, workforprofit.net and consumerstoday.net.
The scam could spell danger for users, especially in the weeks leading up to the 2012 election as countless emails intended to drive users to government websites continue to be circulated.