Spammers Using Short .gov URLs to Trick Victims

CommanderFrank

CommanderFrank

Cat Can't Scratch It
Joined
May 9, 2000
Messages
75,399
If you have been receiving official looking correspondence which turns out to be spam, even though it has the official .gov URL, you aren’t alone. No, the FBI isn’t going to be knocking on your door or the IRS isn’t collecting back taxes via your email address, it’s just savvy spammers taking advantage of a links vulnerability.

The security company found that is a recent phenomenon: in the last week, over 43,049 clicks were made through 1.usa.gov shortened URLs to 10 spam domains. Unsurprisingly, most of them came from the US.
Click to expand...
 
The example used a linkclick.aspx page. So the underlying problem is gov't IIS servers allowing redirection. That should be fixed first so 1.usa.gov links can't be redirected to other domains, unless
the gov domain is hacked.
 
the fact these "groups" are able to register a .gov URL is what worries me more, i thought it was a pretty thorough process?
 
MrGuvernment said:
the fact these "groups" are able to register a .gov URL is what worries me more, i thought it was a pretty thorough process?
Click to expand...

They aren't registering domains.

The idiot feds created a redirector script where it redirects to the URL specified in the parameters (after the ?). They neglected, however, to limit it to official websites so the redirector can be used to redirect to any website on any domain.
 
As Symantec points out, however, spammers can use an open-redirect vulnerability to set up a 1.usa.gov URL which ends up taking the victim to a spam website. Therefore, something like 1.usa.gov/…/Rxpfn9 takes you to labor.vermont.gov/LinkClick.aspx?link=[spam site] which then redirects you to the spam site in question.
Click to expand...
Here's the meaty bit for everyone too lazy to read through the article.
 
w4ffles said:
Here's the meaty bit for everyone too lazy to read through the article.
Click to expand...

Yeah it still works. I replaced link=[spam site] with link=http://hardforum.com and it took me back here.
 
You must log in or register to reply here.
Back
Top