Sophos Cloud Optix
Would you trust a URL which ends with .gov?
US government websites have been left with egg on their faces, after spammers exploited sloppily coded redirect code to redirect gullible internet users into visiting “make money fast” websites.
There are plenty of situations where it can be helpful for a website to redirect users elsewhere on their own site, or to affiliated websites.
But no-one wants to make it easy for spammers and cybercriminals to trick users into believing they are visiting one website, but in fact take them some place where they will be scammed or – worse – have their computer infected.
Unfortunately, there are plenty of open redirects out there, waiting to be exploited.
For instance, at the time of writing, anyone can create a link which exploits an open redirect on a US .gov website to point to wherever they wish.
In the following example, the link ends up at Naked Security:
http://labor.vermont.gov/LinkClick.aspx?link=http://nakedsecurity.sophos.com
In that example, just looking at the link means it’s easy to tell that you are going to end up at Naked Security. But what if you shortened the link with a URL-shortener such as bit.ly?
Then you can provide a link which looks like
http://1.usa.gov/OYCBM7
It’s not so easy to tell that it’s going to end up at Naked Security now, is it?
According to researchers at Symantec, spammers are using precisely this technique to redirect gullible net users into click on what look like legitimate .gov URLs.
The scammers’ shell game is enabled by an agreement between USA.gov and bit.ly that enables .gov or .mil URLs to be shortened into supposedly trustworthy 1.USA.gov URLs.
The trend began on 12 October. Analysis shows that as of 18th October, 43,049 clicks were redirected to spam domains through these shortened 1.USA.gov URLs.
One such: “San Francisco Mom Earns $7,219/Month Part-Time”!
After two hops and a total of three URLs, your final destination is a work-at-home scam designed to look like a financial news network website.
Spammers have attempted to add legitimacy to this particular come-on by adding links in the menu bar to the actual financial news site that the scam is spoofing.
But the links in the article itself actually lead to a site where the spammers try to reel in the gullible, offering to hook us up to $87/hour work-at-home jobs with no prior experience or skills required.
Click-throughs have spiked. Spam accounted for 15.1 percent of all 1.usa.gov URLs as of 18 October, according to researchers.
US citizens are the most likely to fall for these spam messages, with those desperate for $87/hour jobs (or curious security researchers) accounting for 61.7% of click-throughs.
Bit.ly is now displaying a warning message when it sees what it thinks may be an unauthorised shortened link using a usa.gov open redirect.
Although welcome, this isn’t really the best fix for the problem of open redirects on US government websites.
Instead, I would recommend that website owners follow the guidance offered by Google about open redirects, such as checking that the ultimate URL is approved, and considering a whitelist of approved destinations.
As always, be suspicious of unsolicited emails, and don’t click on attachments that unexpectedly pop into your inbox.
While no malware has yet been detected via these .gov redirects, it’s easy to picture how attacks could easily cloak themselves in a legitimate looking .gov URL to serve up something even worse than a phony work-at-home scheme.
Update: A spokesman for the GSA’s Office of Citizen Services and Innovative Technologies, which houses the usa.gov program, offered the following quote to Naked Security:
"GSA is aware of the issue and has worked closely with bit.ly, our collaborator, to quickly resolve the problem. GSA has removed the affected domains. In addition, we've contacted the web managers of the sites and we're working with them to assist in removing the vulnerability. We will continue to monitor the sites until the issue is resolved."
Gov with magnifier image from Shutterstock.
They don't even need to use a URL shortening service – just URL-encoding the parameter would make it much less obvious:
link=%68%74%74%70%3A%2F%2F%6E%61%6B%65%64%73%65%63%75%72%69%74%79%2E%73%6F%70%68%6F%73%2E%63%6F%6D
Indeed – it's amazing what you can do with an encoded URL.
See http://nakedsecurity.sophos.com/2012/08/31/phishi… for instance.
IT JUST GOES TO SHOW YOU CAN'T TRUST ANYTHING OR ANYBODY ANY MORE
Why won’t Bit.ly implement a preview page like TinyURL? If all shortened links took you to a preview page and therefore gave users the chance to see what URL they were being directed to, they would be so much safer to follow. I wouldn’t object to a method of opting out of the preview, but preview should be the default. Bit.ly’s current method of adding a plus to the end of the URL is cumbersome and so impractical that I don’t know if anyone routinely does it.
Would Sophos consider championing a campaign to get this simple safety measure?