Threat Actors Exploit Government Websites for Phishing
Summary:
One of the most common methods cybercriminals use involves exploiting open redirects, a vulnerability that allows attackers to manipulate website links to redirect users to malicious destinations without proper validation. Cofense found that multiple .gov domains were primarily used for credential phishing, with some hosting as many as nine different phishing campaigns simultaneously. A broader set of government domains served as open redirects to bypass secure email gateways, which filter out malicious links and emails. Many victims clicked on seemingly legitimate .gov URLs, unaware that they would be forwarded to phishing sites designed to steal credentials.
A particularly concerning finding was that nearly 60% of abused .gov domains contained the “noSuchEntryRedirect” element in their URL paths, a telltale sign of a vulnerability in the Liferay digital experience platform (CVE-2024-25608), commonly used by government entities worldwide. This vulnerability allows attackers to manipulate URL parameters and redirect users to phishing pages or malware-laden sites without triggering security alerts.
Security Officer Comments:
Although US-based .gov domains accounted for only 9% of the total compromised domains, they ranked as the third most targeted globally. Every identified case involving US government sites leveraged open redirects, with 77% of them featuring the “noSuchEntryRedirect” vulnerability. Phishing campaigns using compromised US government domains primarily impersonated Microsoft services, often tricking victims into signing fake agreements that led to credential theft. These emails successfully evaded detection by major SEGs increasing the risk of widespread compromise.
The research identified government domains in over 20 countries that were targeted by phishing campaigns. The top seven most affected nations accounted for 75% of the abuse, with Brazil leading the list, followed by Colombia and the US. Notably, in Brazil, a small number of specific government domains were repeatedly exploited, suggesting that attackers were focusing on a few vulnerable sites rather than conducting broad attacks across all government domains. This targeted approach highlights how cybercriminals strategically select government websites to maximize their phishing success rates.
Rather than randomly targeting government sites, attackers appear to design phishing campaigns first and then actively search for trusted government domains to integrate into their strategies. This deliberate methodology increases the likelihood of users falling for phishing attempts, as government websites are perceived as safe and legitimate sources of information.
Suggested Corrections:
IOCs:
https://cofense.com/blog/threat-act...ebsite-vulnerabilities-for-phishing-campaigns
https://www.infosecurity-magazine.com/news/threat-actors-exploit-gov-websites/
https://cofense.com/blog/threat-act...ebsite-vulnerabilities-for-phishing-campaigns
One of the most common methods cybercriminals use involves exploiting open redirects, a vulnerability that allows attackers to manipulate website links to redirect users to malicious destinations without proper validation. Cofense found that multiple .gov domains were primarily used for credential phishing, with some hosting as many as nine different phishing campaigns simultaneously. A broader set of government domains served as open redirects to bypass secure email gateways, which filter out malicious links and emails. Many victims clicked on seemingly legitimate .gov URLs, unaware that they would be forwarded to phishing sites designed to steal credentials.
A particularly concerning finding was that nearly 60% of abused .gov domains contained the “noSuchEntryRedirect” element in their URL paths, a telltale sign of a vulnerability in the Liferay digital experience platform (CVE-2024-25608), commonly used by government entities worldwide. This vulnerability allows attackers to manipulate URL parameters and redirect users to phishing pages or malware-laden sites without triggering security alerts.
Security Officer Comments:
Although US-based .gov domains accounted for only 9% of the total compromised domains, they ranked as the third most targeted globally. Every identified case involving US government sites leveraged open redirects, with 77% of them featuring the “noSuchEntryRedirect” vulnerability. Phishing campaigns using compromised US government domains primarily impersonated Microsoft services, often tricking victims into signing fake agreements that led to credential theft. These emails successfully evaded detection by major SEGs increasing the risk of widespread compromise.
The research identified government domains in over 20 countries that were targeted by phishing campaigns. The top seven most affected nations accounted for 75% of the abuse, with Brazil leading the list, followed by Colombia and the US. Notably, in Brazil, a small number of specific government domains were repeatedly exploited, suggesting that attackers were focusing on a few vulnerable sites rather than conducting broad attacks across all government domains. This targeted approach highlights how cybercriminals strategically select government websites to maximize their phishing success rates.
Rather than randomly targeting government sites, attackers appear to design phishing campaigns first and then actively search for trusted government domains to integrate into their strategies. This deliberate methodology increases the likelihood of users falling for phishing attempts, as government websites are perceived as safe and legitimate sources of information.
Suggested Corrections:
IOCs:
https://cofense.com/blog/threat-act...ebsite-vulnerabilities-for-phishing-campaigns
- Government agencies should implement stricter validation processes to prevent open redirects
- Organizations must regularly update and patch software vulnerabilities like CVE-2024-25608
- Organizations and individuals should increase awareness and training to help mitigate risks associated with phishing campaigns
https://www.infosecurity-magazine.com/news/threat-actors-exploit-gov-websites/
https://cofense.com/blog/threat-act...ebsite-vulnerabilities-for-phishing-campaigns