Cybercriminals are increasingly exploiting vulnerabilities in government websites to carry out phishing campaigns, leveraging the inherent trust users place in official domains.
A recent report by Cofense Intelligence shows that how attackers are weaponizing .gov top-level domains (TLDs) across multiple countries for malicious purposes, including credential phishing, malware delivery, and command-and-control (C2) operations.
One of the primary methods used by threat actors involves exploiting open redirect vulnerabilities.
Open redirects occur when a web application improperly forwards users to external sites based on user-controlled inputs.
Cofense researchers noted that all these vulnerabilities are particularly dangerous as they allow attackers to bypass Secure Email Gateways (SEGs), which often trust government domains by default.
- Key Exploit: Nearly 60% of the abused .gov domains contained the “noSuchEntryRedirect” path, linked to CVE-2024-25608. This vulnerability, found in the Liferay digital platform widely used by government agencies, enables attackers to redirect users from trusted .gov URLs to malicious phishing pages.
- Impact: Victims often click on these links without scrutinizing the full URL, making them easy targets for credential harvesting.
The diagram below illustrates the anatomy of an exploited URL used in such attacks:-
.webp)
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
Global Trends and U.S. Government Domains
From November 2022 to November 2024, over 20 countries were affected by these campaigns. Brazil led as the most targeted country, followed by Colombia and the United States. While U.S.-based .gov domains accounted for only 9% of total abuse cases, they ranked third globally.
- U.S. Domain Exploitation: All observed U.S. domains were exploited for open redirects, with 77% involving the “noSuchEntryRedirect” element.
- Phishing Themes: Many campaigns impersonated Microsoft services, using emails that appeared to request signatures on agreements. These campaigns bypassed major SEGs like Microsoft ATP and Mimecast.
In addition to open redirects, some compromised government email addresses were used as C2 servers for malware like Agent Tesla Keylogger and StormKitty in mid-2023 and early 2024. While these cases were limited, they underscore the risks posed by inadequate email security.
.webp)
To counter these threats, experts recommend regularly updating software platforms like Liferay to address vulnerabilities such as CVE-2024-25608.
Implementing stricter input validation helps prevent open redirects, while user awareness training ensures individuals can identify phishing attempts and scrutinize URLs.
Additionally, enhancing Secure Email Gateway (SEG) configurations by adjusting policies to scrutinize even trusted domains further strengthens security measures.
The exploitation of government websites for phishing campaigns illustrates that how even trusted digital infrastructure can be weaponized against unsuspecting users.
Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request