Spam spam spam through USA.gov's URL shortener

Tools

Spammers managed to add a gloss of federal credibility to their websites by recycling the open redirect vulnerabilities of state and local websites through the USA.gov URL shortener, a Symantec analyst found.

USA.gov has offered a URL shortening service through bitly.com for government domain websites--those that end in .mil and .gov, for example. The shortened URL includes "1.usa.gov" in its address, giving shortened URLs a veneer of federal credibility.

The tool, which howto.gov says is available to anyone via the bitly.com website or through tools such as TweetDeck that integrate with bitly, doesn't apply a filter to the URLs it shortens, meaning that spammers who found state and local websites with an open redirect vulnerability have been able to shorten their work-at-home spam webpages with the tool, reports Symantec Senior Analyst Eric Park in a blog post.

An open redirect vulnerability occurs when a web server doesn't control the parameters of a redirect--allowing anyone to create their own redirect on top of a legitimate URL.

For example, Park found that spammers were able to redirect a labor.vermont.gov webpage to a workforprofit.net page, creating a "labor.vermont.gov/LinkClick.aspx?link=http://workforprofit.net/[REMOVED]/?wwvxo" URL. By recycling that URL through the USA.gov shortener, they hid all traces of spamming in the URL text.

Using data available on USA.gov, Park found that between Oct. 12 and Oct. 18, 43,049 clicks were made through 1.usa.gov shortened URLs to spam domains such as consumerbiz.net and workforprofit.net.

In a brief interview, he said the spamming activity dwindled to nearly nothing over the weekend.

For more:
- read Park's blog post on Symantec.com

Related Articles:
Email authentication lags in federal government
Trojans spiked in second half of 2011, says report