Open redirects persist on government sites
Spammers are taking advantage of misconfigured dot-gov domains and link shorteners to redirect visitors to other sites.
When sites use open redirects – web apps that allow a user to specify a link and then send a user on to an external site -- a spammer can insert any URL and send the user to a malicious site, simplifying phishing attacks.
According to a recent Krebs on Security blog, some government sites are using open redirects. South Dakota’s site, Krebs said, uses this open redirect -- http://dss.sd.gov/scripts/programredirect.asp?url= -- which allows spammers to send the visitor from the government site on to any other webpage.
If these open redirect URLs originating from .gov or .mil sites then get truncated by the link shortening service bit.ly, the service the government uses to automatically create a usa.gov URL, it can further hide the redirection. That means a government site with open redirect could be shortened to look something like this http://1.usa.gov/12345.
Krebs said the open redirect vulnerability is widely acknowledged and that Symantec reported that about 15 percent of all 1.usa.gov URLs during a week in October 2012 were used to promote spam messages.
Connect with the GCN staff on Twitter @GCNtech.