1. Forum
  2. FidoNet
  3. POLITICS

  • Criminals abusing gov dom

    From Mike Powell@1:2320/105 to All on Fri Jan 31 10:37:00 2025
    Criminals are abusing top-level government domains across multiple countries

    Date:
    Thu, 30 Jan 2025 16:00:00 +0000

    Description:
    The US and Brazil seem to be particularly targeted by hackers, report notes.

    FULL STORY ======================================================================
    - Cofense report finds phishing threat actors abusing top-level
    domains (TLDs)
    - A significant number of .gov domains are used in open redirect attacks
    - Brazil is the leader in .gov domain abuse

    Cybercriminals are exploiting legitimate government websites and domain services, particularly those with .gov top-level domains (TLD), experts have warned.

    A report from cybersecurity experts Cofense Intelligence claims TLDs are
    being used for a wide variety of nefarious purposes, from credential phishing to command & control (C2) operations.

    The paper states between November 2022 and November 2024, threat actors took advantage of vulnerabilities in .gov domains from over 20 countries.

    Credential phishing

    One of the things the domains are used for is open redirects, which became a key method for bypassing secure email gateways (SEGs).

    Open redirects occur when a web application unintentionally allows a user-controlled input to direct traffic to an external site, which threat actors can manipulate. Using this tactic, attackers can redirect unsuspecting victims from legitimate .gov websites to fraudulent pages.

    In the United States, .gov domains are among the most frequently exploited
    for these redirects, with more than 77% of attacks leveraging a specific vulnerability tied to the "noSuchEntryRedirect" parameter. This
    vulnerability, identified as CVE-2024-25608, impacts platforms like Liferay, widely used by governmental organizations. Although U.S.-based .gov domains made up only 9% of all .gov domains abused, they ranked third in overall
    usage.

    Credential phishing remains the most common form of abuse tied to .gov
    domains, the paper explains. The majority of government domains used in phishing attacks hosted up to nine different files across various campaigns. These phishing attempts often mimic legitimate services such as Microsoft,
    with emails designed to appear as though they are sent from trusted sources.

    The report also notes the abuse of .gov domains for credential phishing and redirection to malicious sites was seen across several countries. Brazil, in particular, stands out as the most targeted country, accounting for the bulk
    of abuse in .gov domains. However, a small number of domains within Brazil
    were responsible for the majority of these abuses, hinting that the attackers were focused on a handful of important government websites.

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/criminals-are-abusing-top-level-governm ent-domains-across-multiple-countries

    $$
    --- SBBSecho 3.20-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)