Spam spam spam through USA.gov's URL shortener
Spammers managed to add a gloss of federal credibility to their websites by recycling the open redirect vulnerabilities of state and local websites through the USA.gov URL shortener, a Symantec analyst found.
USA.gov has offered a URL shortening service through bitly.com for government domain websites--those that end in .mil and .gov, for example. The shortened URL includes "1.usa.gov" in its address, giving shortened URLs a veneer of federal credibility.
The tool, which howto.gov says is available to anyone via the bitly.com website or through tools such as TweetDeck that integrate with bitly, doesn't apply a filter to the URLs it shortens, meaning that spammers who found state and local websites with an open redirect vulnerability have been able to shorten their work-at-home spam webpages with the tool, reports Symantec Senior Analyst Eric Park in a blog post.
An open redirect vulnerability occurs when a web server doesn't control the parameters of a redirect--allowing anyone to create their own redirect on top of a legitimate URL.
For example, Park found that spammers were able to redirect a labor.vermont.gov webpage to a workforprofit.net page, creating a "labor.vermont.gov/LinkClick.aspx?link=http://workforprofit.net/[REMOVED]/?wwvxo" URL. By recycling that URL through the USA.gov shortener, they hid all traces of spamming in the URL text.
Using data available on USA.gov, Park found that between Oct. 12 and Oct. 18, 43,049 clicks were made through 1.usa.gov shortened URLs to spam domains such as consumerbiz.net and workforprofit.net.
In a brief interview, he said the spamming activity dwindled to nearly nothing over the weekend.
- read Park's blog post on Symantec.com