- Cofense report finds phishing threat actors abusing top-level domains (TLDs)
- A significant number of .gov domains are used in open redirect attacks
- Brazil is the leader in .gov domain abuse
Cybercriminals are exploiting legitimate government websites and domain services, particularly those with .gov top-level domains (TLD), experts have warned.
A report from cybersecurity experts Cofense Intelligence claims TLDs are being used for a wide variety of nefarious purposes, from credential phishing to command & control (C2) operations.
The paper states between November 2022 and November 2024, threat actors took advantage of vulnerabilities in .gov domains from over 20 countries.
Credential phishing
One of the things the domains are used for is open redirects, which became a key method for bypassing secure email gateways (SEGs).
Open redirects occur when a web application unintentionally allows a user-controlled input to direct traffic to an external site, which threat actors can manipulate. Using this tactic, attackers can redirect unsuspecting victims from legitimate .gov websites to fraudulent pages.
In the United States, .gov domains are among the most frequently exploited for these redirects, with more than 77% of attacks leveraging a specific vulnerability tied to the “noSuchEntryRedirect” parameter. This vulnerability, identified as CVE-2024-25608, impacts platforms like Liferay, widely used by governmental organizations. Although U.S.-based .gov domains made up only 9% of all .gov domains abused, they ranked third in overall usage.
Credential phishing remains the most common form of abuse tied to .gov domains, the paper explains. The majority of government domains used in phishing attacks hosted up to nine different files across various campaigns. These phishing attempts often mimic legitimate services such as Microsoft, with emails designed to appear as though they are sent from trusted sources.
The report also notes the abuse of .gov domains for credential phishing and redirection to malicious sites was seen across several countries. Brazil, in particular, stands out as the most targeted country, accounting for the bulk of abuse in .gov domains. However, a small number of domains within Brazil were responsible for the majority of these abuses, hinting that the attackers were focused on a handful of important government websites.
Leave a comment