Spam with .gov URLs

Symantec is observing an increase in spam messages containing .gov URLs. A screenshot of a sample message is below:
 


 

Traditionally, .gov URLs have been restricted to government entities. This brings up the question of how spammers are using .gov URLs in spam messages.

The answer is on this webpage:

1.USA.gov is the result of a collaboration between USA.gov and bitly.com, the popular URL shortening service. Now, whenever anyone uses bitly to shorten a URL that ends in .gov or .mil, they will receive a short, trustworthy 1.usa.gov URL in return.

While this feature has legitimate uses for government agencies and employees, it has also opened a door for spammers. By using an open-redirect vulnerability, spammers were able to set up a 1.usa.gov URL that leads to a spam website.

Using the above example:

[http://]1.usa.gov/[REMOVED]/Rxpfn9

leads to

[http://]labor.vermont.gov/LinkClick.aspx?link=http://workforprofit.net/[REMOVED]/?wwvxo

which leads to

[http://]workforprofit.net/[REMOVED]/?wwvxo

The final spam page is a work-at-home scam website that has been designed to look like a financial news network website:
 


 

To add legitimacy to the website, spammers have designed it so that other links, such as the menu bar at the top and other news articles (not shown in the above picture), actually lead to the financial news website that it is spoofing. However, the links in the article all lead to a different website where the spammer tries to make the sale:
 


 

USA.gov provides data created any time anyone clicks on a 1.usa.gov URL (link available on this webpage). Analysis of data from the last seven days shows that this trend began on October 12. As of October 18, 43,049 clicks were made through 1.usa.gov shortened URLs to these spam domains:

  • consumeroption.net
  • consumerbiz.net
  • workforprofit.net
  • consumeroptions.net
  • consumerlifenet.net
  • consumerbailout.net
  • consumerlifetoday.net
  • consumerneeds.net
  • consumerstoday.net
  • consumerlivestoday.net

This chart shows the number of spam clicks made on a daily basis:
 


 

As seen above, there was a spike in volume on October 18. Due to this increase, spam clicks made up 15.1 percent of all 1.usa.gov URLs.

In addition to volume, the data also provides some insight into the locations of the clicks. 36,664 of 43,049 spam clicks had a country code associated with them. There were 124 countries identified. The top four countries on a daily basis were the United States, Canada, Australia, and Great Britain. In aggregate, the United States made up the biggest slice with 61.7 percent of the clicks:
 

While taking advantage of URL shorteners or an open-redirect vulnerability is not a new tactic, the fact that spammers can utilize a .gov service to make their own links is worrisome. Symantec encourages users to always follow best practices and exercise caution when opening links even if it is a .gov URL.