Recently, a phishing trick involving shortened .gov URLS has become popular in luring even savvy internet users. Email spam is the primary method for distributing short links, and the click rate has been significant, in just five days redirecting over 16,000 victims that fell for a link that appeared to be a CNBC news article talking about some “work from home” scheme, which everyone deep down inside knows is just a scam.
But the fact that the phishers are using several U.S. State government domains to model their malicious shortened URLs after, like Vertmont.gov or some tax service, even people with average intelligence can fall into their trap.
The .gov short URL service is run by the U.S. government, in partnership with bitly.com. It was designed to enable users to submit a long URL to bitly that resides on a .gov or .mil top-level domain. The goal of the service is to make it easier to verify the authenticity of a U.S. government site in a shortened URL. But vulnerabilities with software designed to give website developers the ability to configure a set of custom re-direct values creates an open-redirect vulnerability, which simplifies phishing attacks by bypassing protection mechanisms.
“Despite the best intentions, 1.usa.gov short links seem to be ineffective at ensuring the ultimate destinations of the URLs are trustworthy government websites.” –Jeff Jarmoc, Dell SecureWorks
Dell traced the IP destination of the malicious servers used in the attack to hosting services in Moscow and InMotion Hosting Inc., based in Los Angeles.