For almost a week, scammers have figured out a way to make their phishing campaigns appear to come from legitimate .gov addresses.
The US General Services Administration (GSA) administers a URL shortener so that US government, military, and other official links can be shortened to 1.USA.gov or Go.USA.gov. While the "Go" version requires users to have an official government email address to create the shortened URLs, the "1" version does not, allowing anyone to create a shortened address via Bit.ly.
Since these shortened links only point to official US websites, the GSA website states that "the public can click on Go.USA.gov or 1.USA.gov URLs knowing they will lead to official US government information", however, it does not take into account that the government websites they redirect to may not be secure.
Symantec has noted that scammers have begun to exploit some government websites' open-redirects. For example, Idaho's Department of Health and Welfare has an open redirect that will send users to a specified URL without first prompting the user.
This means that anyone shortening a URL like http://www.healthandwelfare.idaho.gov/LinkClick.aspx?link=http://www.google.com could create an equivalent 1.USA.gov address for it, including those redirecting to malicious URLs.
Having a .gov URL for a phishing site would be valuable for a scammer, as it makes it appear much more legitimate, and is more likely to fool users into thinking that the content is safe.
Bit.ly has since put in place measures to close its service to official US sites if they appear to be linking to an open redirect. In these cases, it gives them a bit.ly address, rather than a 1.USA.gov address, and now warns users if the link appears suspicious.
However, for some, the damage has been done.
Symantec has looked at 10 spam domains that it was aware of, and filtered through the shortened URL data that is freely available from the US government. It found that between October 12 and October 18, users were fooled into visiting spam sites some 43,049 times.
Contrary to the GSA's advice, Symantec said that users should exercise caution, even when opening links that are .gov URLs.