Phishing with shortened .gov URLs

Recently, a phishing trick involving shortened .gov URLS has become popular in luring even savvy internet users. Email spam is the primary method for distributing short links, and the click rate has been significant, in just five days redirecting over 16,000 victims that fell for a link that appeared to be a CNBC news article talking about some “work from home” scheme, which everyone deep down inside knows is just a scam.

But the fact that the phishers are using several U.S. State government domains to model their malicious shortened URLs after, like or some tax service, even people with average intelligence can fall into their trap.

The .gov short URL service is run by the U.S. government, in partnership with It was designed to enable users to submit a long URL to bitly that resides on a .gov or .mil top-level domain. The goal of the service is to make it easier to verify the authenticity of a U.S. government site in a shortened URL. But vulnerabilities with software designed to give website developers the ability to configure a set of custom re-direct values creates an open-redirect vulnerability, which simplifies phishing attacks by bypassing protection mechanisms.

Despite the best intentions, short links seem to be ineffective at ensuring the ultimate destinations of the URLs are trustworthy government websites.” –Jeff Jarmoc, Dell SecureWorks

Dell traced the IP destination of the malicious servers used in the attack to hosting services in Moscow and InMotion Hosting Inc., based in Los Angeles.



6 thoughts on “Phishing with shortened .gov URLs

  1. This phishing is pretty advanced in some aspects. I’m sure around tax time will be a popular site to spoof to try to gain personal information.

    • Yeah I think that’s what attackers must be thinking, Taxes and other government related things can be so stressful and time sensitive some people could easily be fooled.

  2. To avoid phishing you really have to understand that any link could be unsafe. I feel like legitimate emails should never supply a link and always just tell you to go to the website on your own for whatever reason that they want.

  3. I feel like this could be something that is actually implemented in the future. Slowly, most institutions and whatnot should stop providing links, even though it’s convenient, and just give directions or contact info. If enough people start doing it, it could be popular enough (or there could be a huge disaster to provoke such measures).

  4. Is there any way to check the URL in its entirety, meaning the whole web address, or do we all have to just assume that it is a phishing lure?

Comments are closed.