|
Videos
October 23, 2012 By News Staff
A new spam scam uses .gov URLs as a way to lure marks into a false sense of security, Symantec recently announced. While .gov URLs have traditionally been reserved for government websites, spammers have found a way to use the popular URL shortening website bitly.com to carry out their scam.
Many of the spam emails contain a link with a shortened URL, which if clicked will redirect to a work-at-home scam website. The scam website is designed to look like a financial news network website, except many of the links lead to a final website where the scammer tries to make a sale.
“Make money and change your life NOW!” the website reads. “Within five minutes you could be making up to $87 an hour and work from the comfort of your own home.”
This spamming technique is not new, Symantec reported, but the use of .gov website endings in the scam is a new development. “Symantec encourages users to always follow best practices and exercise caution when opening links even if it is a .gov URL,” the Symantec website reads.
For an illustrated guide of how the new scam works, visit Symantec.com.
You may use or reference this story with attribution and a link to
http://www.govtech.com/security/New-Spam-Scam-Uses-Gov-Links.html
Collaborative Justice: Transforming Criminal Justice Services Through Unified Collaboration
Cloud-Based Services Accelerate Public Sector Adoption of Video Collaboration
This article (and the quoted Symantec article) both miss what I believe is the most important point: None of this would be possible without URL redirecting within government web portals or applications. In the Symantec website, the true culprit is not the 1.usa.gov redirector (powered by bit.ly). That redirector is restricted to .gov addresses. The only reason it works is because of this little gem: [http://]labor.vermont.gov/LinkClick.aspx?link= Without this gaping hole in the vermont labor website, the scam wouldn't work. This should be a cautionary tale for State IT shops to carefully check all redirection to make sure it's properly managed. This should also be part of a larger conversation about web application security. If you will look at OWASP guidelines and top ten security risks (www.owasp.org) you will find that many of those risks are enabled by improper or open redirection.