Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spammers Using Shortened .gov URLs

Posted by timothy on from the just-write-to-pueblo-colorado dept.

hypnosec writes "Cyber-scammers have started using '1.usa.gov' links in their spam campaigns in a bid to fool gullible users into thinking that the links they see on a website or have received in their mail or newsletter are legitimate U.S. Government websites. Spammers have created these shortened URLs through a loophole in the URL shortening service provided by bit.ly. USA.gov and bit.ly have collaborated, enabling anyone to shorten a .gov or .mil URL into a 'trustworthy' 1.usa.gov URL. Further, according to an explanation provided by HowTo.gov, creating these usa.gov short URLs does not require a login." Which might not be a big deal, except that the service lets through URLs with embedded redirects, and it is to these redirected addresses that scammers are luring their victims.

75 comments

  1. They want all your money... by bradley13 · · Score: 5, Funny

    ...just like other .gov websites

    --
    Enjoy life! This is not a dress rehearsal.
    1. Re:They want all your money... by Anonymous Coward · · Score: 0

      Yet another roman_mir sockpuppet?

  2. Well... by Anonymous Coward · · Score: 0

    You can always trick the user with a .gov hyperlink to some other tld off course.

  3. 2*WTF by Anonymous Coward · · Score: 5, Interesting

    Isn't the major WTF in the second stage of the "attack", a .gov site that will happy redirect to _any_ site feed to its (link) script? Obviously the .gov shortening will help in the "attack" on people that do not click everything they see.

    1. Re:2*WTF by rjr162 · · Score: 5, Informative

      That was exactly my thought. The URL shortener may be a f'up having it open like that, but the bigger f'up is the fact the site in the second link allows any address
      For example

      Http://labor.vermont.gov/LinkClick.aspx?link=http://www.slashdot.org

      To me that's the bigger f'up

    2. Re:2*WTF by Anonymous Coward · · Score: 1

      Don't act so shocked. There are redirection URLs out the wazoo. Even CNN had a story about them.

    3. Re:2*WTF by hymie! · · Score: 1

      I'm not sure I'd call it a "f'up" ... imagine if it were your job to maintain a complete authoritative list of every external web site that labor.vermont.gov links to.

      It's certainly becoming a problem; I'm just saying that "A page the redirects wherever it needs to redirect to" was probably the goal, not the side-effect.

    4. Re:2*WTF by dingen · · Score: 4, Insightful

      A script called "LinkClick.aspx" which takes a url as argument and forwards the browser to that address. Seriously, what the hell? Do these people know ANYTHING about how the web works? I can't even begin to describe what a load of nonsense such a script is to begin with. How about, oh I don't know, an actual link? Or an HTTP redirect?

      Why the hell was "LinkClick.aspx" even created to begin with? Let alone why it's publicly available and accepts any url. This is so wrong, my head is about to explode.

      --
      Pretty good is actually pretty bad.
    5. Re:2*WTF by dingen · · Score: 4, Insightful

      If it was my job to produce a list of all links, I would scan the site for all links. How about that?

      I really can't believe people who come up with stuff like this... I mean, a script with the ability to redirect to anything a user inputs, that just doesn't make any sense whatsoever.

      --
      Pretty good is actually pretty bad.
    6. Re:2*WTF by Anonymous Coward · · Score: 0

      You're way out of your depth.

    7. Re:2*WTF by Afty0r · · Score: 5, Informative

      It will be for tracking purposes, so that the site owners knows who has clicked on which external links, and from which pages on their site.

      I'm not saying it's a marvel of engineering, but it's a common request from marketers.

    8. Re:2*WTF by Anonymous Coward · · Score: 2, Interesting

      I would guess that LinkClick.aspx was created to track outbound links from the site.
      That way they can easily create statistics on what links people click on.

      It is a lazy way to do it to avoid having to keep track of which links you want to track.
      Everyone does it, even google search. Although some are doing it in a good way and keep track of what they allow to redirect, not just allow anything.

    9. Re:2*WTF by thePowerOfGrayskull · · Score: 1

      It was probably created for tracking purposes, the same way that clicking on an unmodified Google search result also takes you to a redirect url.

    10. Re:2*WTF by hymie! · · Score: 1

      It's usually for either tracking, or for displaying a disclaimer "You are about to leave our web site. Nothing you see is under our control. Do you wish to continue?"

    11. Re:2*WTF by dingen · · Score: 1

      The reason Google does this, is because they check if the website is listed as fraudulent and displays a warning if that is the case. But on your own website, you don't have to implement such functionality as you probably have a lot of control over what you link to in the first place.

      I get the wish to track outbound links, but seriously, this is not the way to do it.

      --
      Pretty good is actually pretty bad.
    12. Re:2*WTF by dingen · · Score: 1

      Websites seriously implement such a warning? Wow... I'm truly amazed by the craziness of this entire thread.

      --
      Pretty good is actually pretty bad.
    13. Re:2*WTF by deniable · · Score: 1

      Don't forget opening a new window. There are still sites that hate the back button.

    14. Re:2*WTF by hymie! · · Score: 3, Interesting

      Websites seriously implement such a warning?

      Yes. Go to the IRS web site http://www.irs.gov . At the bottom right, where it says "Visit Other Sites", click on "U. S. Treasury" (which, by the way, is the parent organization of the IRS).

    15. Re:2*WTF by Anonymous Coward · · Score: 1

      Google could add redirection only to links which are suspected to lead to fraudulent sites, but they add redirection to all links. They do it for the same reason everybody else does it: To track what you clicked.

    16. Re:2*WTF by dingen · · Score: 2

      That really is quite ridiculous. But at least don't they don't allow just any url in their redirection script, I guess that's something...

      --
      Pretty good is actually pretty bad.
    17. Re:2*WTF by fatphil · · Score: 2

      For me, when I click on a link to a youtube video from within a comment on a youtube video, youtube warns me that I'm about to leave youtube, and be redirected to youtube, asking me if I really want to do that.

      --
      Also FatPhil on SoylentNews, id 863
    18. Re:2*WTF by fatphil · · Score: 1

      Google for ``inurl:.gov?LinkClick.aspx?link=''

      About 53,400 results

      Good luck blacklisting all of them, USA.gov...

      USA.gov should have its right to operate a website revoked, it's at least as culpable as any of the idiots who implement the link-following on their .gov site, as it presumes there are no idiots with .gov domains.

      --
      Also FatPhil on SoylentNews, id 863
    19. Re:2*WTF by Ol+Biscuitbarrel · · Score: 1

      You should make a YouTube video about that. I bet it will get lots of comments.

      Remember that lame late 70s/early 80s video technique where you'd point a camcorder into a TV monitor and get the endless recursion effect? Hey, it'd be more interesting than that YT vid that takes 571 hours to watch.

    20. Re:2*WTF by fatphil · · Score: 1

      Actually a fair chunk of those hits are not troublesome ones as google's not very good at working out what I was searching for. However, there are plenty of link= redicts all over the whole gamut of .gov domains. I haven't found any .mil use of the redirect yet, but I'm sure some exist.

      --
      Also FatPhil on SoylentNews, id 863
    21. Re:2*WTF by similar_name · · Score: 2

      Google search results are all redirects.

      Google or Slashdot? If you try to alter it I believe Google gives you a redirect warning. But as long as you can find your site through Google you can create a link that looks like it goes to Google but goes wherever you want.

    22. Re:2*WTF by Impy+the+Impiuos+Imp · · Score: 0

      I can't believe people are this ballsy. I suppose it shows how far behind the curve the government is.

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    23. Re:2*WTF by bhcompy · · Score: 1

      Most link aggregators I know of use the same technique

    24. Re:2*WTF by flonker · · Score: 1

      I agree, however, 1.usa.gov can mitigate this attack by checking each link for a redirect before accepting it into their database.

    25. Re:2*WTF by Anonymous Coward · · Score: 0

      Don't open government site URLs unless deliberately typed in. Don't open URL shorteners. Problem solved.

    26. Re:2*WTF by mysidia · · Score: 1

      Http://labor.vermont.gov/LinkClick.aspx?link=http://www.slashdot.org
      To me that's the bigger f'up

      Why is that?

      Suppose you want an efficient way of tracking which external links visitors of your site are clicking on. A script such as LinkClick.aspx is a reasonable way of achieving that.

      Limiting LinkClick.aspx to a specific list of URLs adds extra unnecessary maintenance work, and it's really not an issue to allow you to redirect yourself to any site.

      Assuming there's no f'up such as 1.usa.gov allowing any .gov link.

      The GOV TLD is not, and never was, a TLD you can see in a URL and be certain that you are visiting a trusted website.

      The .GOV TLD is not some walled garden that is isolated from the internet, that is secured perfectly and magically immune from containing security vulnerabilities, malicious content, defacements, infections, etc.

    27. Re:2*WTF by Delusionner · · Score: 2

      The usual way to implement that sort of tracking is by having a list of sensible URLs to track in the database and redirecting *only* those.

    28. Re:2*WTF by Anonymous Coward · · Score: 0

      Scarier than that is that it's coming from the query string. If they're dumb enough to allow redirects to any value in GET's link variable, they probably didn't filter or escape that variable. I bet there's a good chance you could run executable code from that query string.

    29. Re:2*WTF by Anonymous Coward · · Score: 0

      There are better, much much much more secure and far less egregiously stupid ways to do that. Egregiously stupid is what gov does best though.

  4. What else would you expect? by deniable · · Score: 0

    It's obviously a Libyan plot.

  5. Impersonating a Government Agency... by Tempest451 · · Score: 1

    ...will get you real federal prison time. http://www.law.cornell.edu/uscode/text/18/912

    1. Re:Impersonating a Government Agency... by Anonymous Coward · · Score: 1

      dude, maybe for fucking ONCE the FBI will have something on their to do list that has some social value. cross your fingers noobz, some fucking spammers gonna go to PMITA prison.

    2. Re:Impersonating a Government Agency... by jythie · · Score: 1

      Spamming is too profitable, and thus going after it would 'hurt the economy'.

  6. Maybe it's just me... by dingen · · Score: 4, Insightful

    ... but a url which starts with "1.usa.gov" doesn't strike me as particularly trustworthy.

    --
    Pretty good is actually pretty bad.
    1. Re:Maybe it's just me... by MightyYar · · Score: 2

      But the government does it's job so competently everywhere else!

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    2. Re:Maybe it's just me... by Ol+Biscuitbarrel · · Score: 2

      Try whitehouse.com. Not much going on there these days either.

    3. Re:Maybe it's just me... by Nyder · · Score: 1

      ... but a url which starts with "1.usa.gov" doesn't strike me as particularly trustworthy.

      I just don't trust anything from the government, so I'm safe.

      Plus, the gov doesn't have my email address unless it been harvesting them.

      --
      Be seeing you...
    4. Re:Maybe it's just me... by bill_mcgonigle · · Score: 2

      True, but something like ''FedWorld' sounds like an obvious scam too. The thing is, obvious scams are obvious because it's easy to detect the incompetence, but then you try to apply that to government, and all bets are off.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    5. Re:Maybe it's just me... by Anonymous Coward · · Score: 0

      If slashdot has your e-mail, the government has your email. The government can ask and it'd probably be answered. Otherwise, they can demand slashdot give them any information they want. Trying to hide information from government which you give away to companies in your country is a silly effort.

  7. Happened before by boulat · · Score: 0, Flamebait

    Obama has been spamming for donations from @whitehouse.gov for years!

    1. Re:Happened before by boulat · · Score: 0

      How is this a 'Flamebait'? Get a sense of humor you Nazis

    2. Re:Happened before by Anonymous Coward · · Score: 0

      It's flamebait because you made fun of their stupid religion and their more stupid messiah.

  8. Why the hell was "LinkClick.aspx" created? by Anonymous Coward · · Score: 1

    It tracks the links that a user clicks on:

    When you browse any web site, one log file entry is created for every page you visit --- with the information where you came from. When you follow a link from one web site "A.gov" to another web site "B.com", then this data would be stored in the log file of "B.com" --- but not in the log files of "A.gov".

    By jumping through the LinkClick.aspx script, the site "A.gov" catches this information (where do our visitors go to?) in their log files.

  9. Oh wow, now it makes sense by Anonymous Coward · · Score: 2, Interesting

    I've been getting spams from IRS.gov. First the content doesn't apply to me, and they are grammatically incorrect. But I can see somebody being fooled. The URL is .irs.gov/get action.aspx. Seeing IRS.gov makes it seem real. Knowing better stops me from clicking the link (but I want to, just to see what it does).

    I thought it might be a SQL injection hack. Great, now there are more .gov attacks, built by the govt.

    What will they think of next?

  10. Who in the FedGov is using Bit.ly? by Quinn_Inuit · · Score: 1
    This seems like a terrible idea. I wouldn't touch Bit.ly for something official at work now that go.usa.gov is live. That requires a federal gov't e-mail address as a login, and people abusing the system can be stopped at the account level.

    Admittedly, before go.usa.gov went live I needed to use a shortening service on occasion, but I always used tinyurl preview links when that came up. I figured that it was the least I could do to improve transparency for users.

    --

    Stop learning! Only you can prevent esoterrorism.
  11. The Simple Answer by Anonymous Coward · · Score: 2, Funny

    Everyone is responsible for knowing where they are clicking through to. Nobody bothers to check the actual target URL. A simple answer is:
    1. Turn on the status bar at the bottom of the browser window.[usually View/Toolbars/Status Bar (checkbox)]
    2. Each URL pointed to will show the actual target in the status bar.
    3. Make sure that's really where you want to go, and DON'T click if you don't recognise the URL shown there.

    1. Re:The Simple Answer by pod · · Score: 1

      I like how this is modded funny, because overriding the status bar is something even Google does with its search results to hide that every link is actually a redirect.

      --
      "Hot lesbian witches! It's fucking genius!"
  12. their really is a lusa dot gov domain? by Anonymous Coward · · Score: 0

    nuf said

  13. SecureWorks already reported on this last week by Anonymous Coward · · Score: 0

    Old news is old.

    SecureWorks already reported on this last week:

    http://www.secureworks.com/cyber-threat-intelligence/blog/spam/government-websites-abused-ongoing-spam-campaign/

    Just like their AV protection, Symantec is a week late :)

  14. disclaimers by SuperBanana · · Score: 1

    They're not so much used for tracking as popping up "you are now leaving our site, we're not responsible for this content" advisories. I have yet to see a US government agency website that doesn't do this - and they're virtually the only ones who do.

    --
    Please help metamoderate.
    1. Re:disclaimers by Anonymous Coward · · Score: 0

      You would have seen one if you had tried out the URL rjr162 posted. It redirects to slashdot without showing an advisory.

    2. Re:disclaimers by bhcompy · · Score: 1

      Some bulletin board/message board softwares have the option as well.

  15. URL shortners should be dismissed as spam by DarkOx · · Score: 1

    There is no reason an e-mail needs to contain a obfuscated link. Its either a bound through some marketing tracking crap (therefore is spam) or it might be malicous. The best way to approach this is just start dropping mails that contain links with the URL of any known shorteners.

    It won't take long for legitimate and semi-legitimate senders to realize they just can't use such links because it means their messages don't get past recipient spam filters. Honestly from a security standpoint I can't see why it should ever be considered okay to follow an obfuscated link in an otherwise unauthenticated and untrusted document like an E-mail. We spend years trying to teach people not to click links in mails without checking they point where the display text says they do first and stupid bit.ly came along and make that impossible for most users.

    Now maybe if the message is signed and the spam gateway can verify the signature belongs to someone or some entity on the white list fine, but otherwise discard. As network and mail admins I think we owe it to our users to take hard line against this practice.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    1. Re:URL shortners should be dismissed as spam by jackbird · · Score: 1

      If you need to email people that can't handle linebreaks that break long links on the receiving end, URL shorteners are a godsend.

    2. Re:URL shortners should be dismissed as spam by Anonymous Coward · · Score: 0

      No, URL shorteners are stupidity enablers. You need to kick those people's asses until they get some software written some time in the last decade.

  16. Government IT... by nighthawk243 · · Score: 1

    Government IT of any kind is mostly inept. I used to work on government systems and holy hell were they buggy and prone to downtime.

  17. bitly doesn't care how their service is used... by Anonymous Coward · · Score: 0

    I've complained to bitly several times about spam bots on twitter abusing his services. He told me to fuck off.

  18. no, it's a f'up by Anonymous Coward · · Score: 0

    If you want to link to an external site, JUST DO IT.

    Does somebody not know how to make a normal link? That whole LinkClick.aspx thing is useless at best, but likely an unwelcome way to spy on users. (allowing labor.vermont.gov to know you followed the link... but why do they deserve to know?)

    1. Re:no, it's a f'up by PTBarnum · · Score: 1

      So they can tell if the link is doing any good or not. If nobody clicks on a link, it is a waste and can be replaced by a more useful link or simply removed to make the page simpler.

  19. There are better ways than LinkClick.aspx by billyswong · · Score: 1

    For those who said such an implementation has its legitimate use:

    It is stupid. Period.

    Write a simple "onclick" javascript, and the webpage can ping back all external links to its own server for whatever statistics purpose. Using redirect links for statistical purpose is NEVER necessary.

    Also, waiting for those slow servers to reponse and redirect their redirection link is annoying. Just give me the site I am going to anyway please!

  20. Reply from Bitly by Anonymous Coward · · Score: 0

    Thanks for getting in touch. We take spam issues very seriously and are constantly working to make spammers' lives miserable. We have blocked this open redirect (and others!) to prevent this from occurring again.

    If you ever come across a bitly link being used maliciously, just get in touch via support.bitly.com and we'll take care of it!

    Also! Let me know any specific questions you may have!
    Kristine
    @bitly

  21. To whoever downmodded my post by Anonymous Coward · · Score: 0

    Disprove any of its points instead of "hit & run downmodding" it -> http://yro.slashdot.org/comments.pl?sid=3199555&cid=41724117

    APK

    P.S.=> After all - When "the BEST YOU'VE GOT" = unjustifiable downmods? You've got nothing, & since those of you that do that *think* it "hides it"?? Wake up - there's MORE people browsing here @ below the default than there is at the bogus default settings on this forums... So, in other words, face it: YOU FAIL, trolls!

    ... apk

    1. Re:To whoever downmodded my post by Anonymous Coward · · Score: 0

      I just use CleanMyPC. Seems a lot simpler than mucking around with hosts files.

  22. "To each his own" but... by Anonymous Coward · · Score: 0

    See subject-line above - 110++ slashdot users feel otherwise:

    ---

    70++ SLASHDOT USERS EXPERIENCING SUCCESS USING HOSTS FILES QUOTED VERBATIM:

    ---

    "I want my surfing speed back so I block EVERY fucking ad. i.e. http://someonewhocares.org/hosts/ and http://winhelp2002.mvps.org/hosts.htm FTW" - by UnknownSoldier (67820) on Tuesday December 13, @12:04PM (#38356782)

    "this is not a troll, which hosts file source you recommend nowadays? it's a really handy method for speeding up web and it works." - by gl4ss (559668) on Thursday March 22, @08:07PM (#39446525)

    "I use a custom /etc/hosts to block ads... my file gets parsed basically instantly ... So basically, for any modern computer, it has zero visible impact. And even if it took, say, a second to parse, that would be more than offset by the MANY seconds saved by not downloading and rendering ads. I have noticed NO ill effects from running a custom /etc/hosts file for the last several years. And as a matter of fact I DO run http servers on my computers and I've never had an /etc/hosts-related problem... it FUCKING WORKS and makes my life better overall." - by sootman (158191) on Monday July 13 2009, @11:47AM (#28677363)

    "I actually went and downloaded a 16k line hosts file and started using that after seeing that post, you know just for trying it out. some sites load up faster." - by gl4ss (559668) on Thursday November 17, @11:20AM (#38086752)

    "Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)

    "Better than an ad blocker, imo. Hosts file entries: http://www.mvps.org/winhelp2002/hosts.htm " - by TempestRose (1187397) on Tuesday March 15, @12:53PM (#35493274)

    "^^ One of the many reasons why I like the user-friendliness of the /etc/hosts file." - by lennier1 (264730) on Saturday March 05, @09:26PM (#35393448)

    "They've been on my HOSTS block for years" - by ScottCooperDotNet (929575) on Thursday August 05 2010, @01:52AM (#33147212)

    "I'm currently only using my hosts file to block pheedo ads from showing up in my RSS feeds and causing them to take forever to load. Regardless of its original intent, it's still a valid tool, when used judiciously." - by Bill Dog (726542) on Monday April 25, @02:16AM (#35927050)

    "you're right about hosts files" - by drinkypoo (153816) on Thursday May 26, @01:21PM (#36252958)

    "APK's monolithic hosts file is looking pretty good at the moment." - by Culture20 (968837) on Thursday November 17, @10:08AM (#38085666)

    "I also use the MVPS ad blocking hosts file." - by Rick17JJ (744063) on Wednesday January 19, @03:04PM (#34931482)

    "I use ad-Block and a hostfile" - by Ol Olsoc (1175323) on Tuesday March 01, @10:11AM (#35346902)

    "I do use Hosts, for a couple fake domains I use." - by icebraining (1313345) on Saturday December 11, @09:34AM (#34523012)

    "It's a good write up on something everybody should use, why you were modded down is beyond me. Using a HOSTS file, ADblock is of no concern and they can do what they want." - by Trax3001BBS (2368736) on Monday December 12, @10:07PM (#38351398)

    "Let me introduce you to the file: /etc/hosts" -

  23. So, I want to know... by htomc42 · · Score: 1

    when the world is going to say "enough is enough" with these vermin, and drop them in some sort of Escape From NY type of gulag.

    The world has enough problems facing it without these walking human cancers wreaking financial and technological destruction in their path.

    Oh, I forgot all of our prison spaces are full of people enjoying natural herbs, silly, me, I forgot about such high-priority things like that.

  24. I have one of these scripts on my web site. by Sanians · · Score: 1

    I have one of these scripts on my web site. It isn't there to track if people click the links. It's to allow me to link to shady web sites without Google knowing that I'm linking to shady web sites and penalizing me for doing so. (They are useful for discussion sometimes.) The script itself is blocked by robots.txt, and so Google never sees that there's a redirect that points to the web site since it never makes a request to the script, whereas simply using a nofollow tag would still allow Google to know about the link's existence, even if it doesn't follow the link.