Traditionally, these have been restricted to government entities, but spammers have found a way to use shortened .gov URLs in what has become an explosion of spam messages. According to a Symantec analysis, the phenomenon started on Oct. 12, racking up 43,049 clicks through illegitimate shortened URLs to a variety of spam domains in just the first six days. The security firm noted a big spike in volume on Oct. 18, the last date it analyzed, which translated to spam clicks making up 15.1% of all 1.usa.gov URLs. By today, it’s likely that this number is now much higher.
Sadly, the government itself has opened up the door for unscrupulous types to take advantage of the .gov domain’s inherent trustworthiness. The “How To” page for public-sector employees explains that there is a collaboration between USA.gov and bitly.com, the popular URL shortening service. Now, whenever anyone uses bitly to shorten a URL that ends in .gov or .mil, they will receive a short, “trustworthy” 1.usa.gov URL in return.
“While this feature has legitimate uses for government agencies and employees, it has also opened a door for spammers,” explained Symantec researcher Eric Park, in his blog. “By using an open-redirect vulnerability, spammers were able to set up a 1.usa.gov URL that leads to a spam website.”
Typically, a http://1.usa.gov/ website redirects to an even more official-looking website, such as labor.vermont.gov, which in turn leads to the spam site, such as workforprofit.net. In this real-world example, Symantec found the final spam page to tout “a work-at-home scam website that has been designed to look like a financial news network website.”
Spammers are getting savvier, too. Park noted that to add legitimacy to the website, spammers have designed it so that other links, such as the menu bar at the top and other news articles actually do lead to the financial news or other website that it is spoofing.
“However, the links in the article all lead to a different website, where the spammer tries to make the sale,” Park noted.
To analyze the situation, Symantec looked at data from USA.gov, which keeps a log of anytime anyone clicks on a 1.usa.gov URL.
A range of spam domains have been set up, including consumeroption.net, consumerbiz.net, workforprofit.net, consumeroptions.net, consumerlifenet.net, consumerbailout.net, consumerlifetoday.net, consumerneeds.net, consumerstoday.net and consumerlivestoday.net.
In addition to volume, the data also provides some insight into the locations of the clicks. 36,664 of 43,049 spam clicks had a country code associated with them. There were 124 countries identified. The top four countries on a daily basis were the US, Canada, Australia and Great Britain. In aggregate, the US made up the biggest slice with 61.7% of the clicks.
“While taking advantage of URL shorteners or an open-redirect vulnerability is not a new tactic, the fact that spammers can utilize a .gov service to make their own links is worrisome,” Park said. “Symantec encourages users to always follow best practices and exercise caution when opening links even if it is a .gov URL.”