Author: Max Gannon
Cofense Intelligence has continually observed the abuse or usage of legitimate domain service exploitation. This report highlights observed phishing threat actor abuse of .gov top-level domains (TLDs) for different countries over two years from November 2022 to November 2024.
Threat actors regularly abuse legitimate domains for malicious purposes such as hosting files or credential phishing, serving as a command and control (C2), or being used to redirect to a malicious page owned by the threat actor. Unfortunately, .gov domains are no exception to this abuse, although they appear to be abused less frequently than other domains.
Open Redirect
An open redirect as defined by MITRE is when a “web application accepts a user (aka threat actor)-controlled input that specifies a link to an external site and uses that link in a redirect”. Threat actors regularly take advantage of open redirects such as Google AMP and TikTok to bypass secure email gateways (SEGs), and .gov domains are similarly abused.
The various .gov TLDs tracked by Cofense Intelligence were most used to host credential phishing content; however, this was restricted to a relatively small number of domains that were used to host up to nine different files for nine different campaigns. A larger number of unique domains were used as open redirects. These domains were typically embedded in an email in an attempt to bypass SEGs which likely trusted the .gov by default. This allowed the threat actors to reach victims who would likely click links to .gov websites without reading the end of the URL and realizing they were going to be redirected to a credential phishing website.
Almost 60% of the .gov domains abused for open redirects have the same “noSuchEntryRedirect” in the path. This is likely related to CVE-2024-25608 which exploits a vulnerability in the Liferay digital platform which is used by many governmental organizations. Web applications having vulnerabilities that allow for open redirects are all too common, meaning that website developers must be constantly vigilant.
By using this CVE and several other methods which may also be CVEs in other products, threat actors were able to abuse many government websites to redirect to credential phishing pages or intermediaries that lead to credential phishing pages. Figure 1 shows the different aspects of the URL used to leverage .gov domains for open redirects in phishing campaigns.
Figure 1: Methods of open redirects observed with abused .gov domains.
USA Government Domains
Although .gov domains associated with the United States only make up 9% of the abused .gov domains, they are still the 3rd most abused and worth specifically covering. All the United States-based .gov domains abused in campaigns from November 2022 to November 2024 were used for open redirects. This is in contrast to some other countries’ .gov domains which were also compromised and used to host credential phishing or other malicious content. Over 77% of the open redirects used made use of “noSuchEntryRedirect,” making it likely that the United States-based government websites also fell prey to CVE-2024-25608.
Email Trends
The campaigns abusing United States-based .gov domains for open redirects were all Microsoft-themed with the credential phishing page typically including Microsoft logos and indicators. More than half of the emails had subjects relating to signing some sort of agreement. The campaigns bypassed most major SEGs including Microsoft ATP, Proofpoint, Cisco IronPort, Symantec MessageLabs, and Mimecast. This is a good indicator of how successful .gov domains are at bypassing SEGs. Some of the sample United States .gov domains abused are shown in Table 1.
Table 1: Various United States .gov domains are used for open redirects along with URLScan data.
URL | Captured Redirect | Active Threat Report (ATR) |
hxxp[:]//momentum[.]princegeorgescountymd[.]gov/c/blogs/find_entry?p_1_id=0&noSuchEntryRedirect=hxxp[:]//myvirtualcare[.]health[.]nsw[.]gov[.]au/auth/logout?continue=//mesin[.]ft[.]unib[.]ac[.]id/sign/ | ||
hxxps[:]//ecity[.]springfieldmo[.]gov/c/blogs/find_entry?p_1_id=0&noSuchEntryRedirect=hxxps[:]//biola[.]edu//shinro[.]edu[.]vn/doc// | ||
hxxps[:]//www[.]dol[.]ks[.]gov/c/blogs/find_entry?p_1_id=0&noSuchEntryRedirect=hxxp[:]//gemolong[.]sragen[.]pramukajateng[.]or[.]id/doc/ | ||
hxxps[:]//www[.]myhealth[.]va[.]gov/c/blogs/find_entry?p_l_id=0&noSuchEntryRedirect=hxxps[:]//pub-f01585adf15642eca2e96231ddbf6a84[.]r2[.]dev/index3[.]html | N/A | |
hxxps[:]//www[.]recreation[.]gov/api/redirect?account_id=32dd40e4-07fa-5832-adb6-e94b3d1a05e5&url=hxxps[:]//sariceei[.]com/o/? | ||
hxxps[:]//www[.]sba[.]gov///www[.]iedcolombiaaprende[.]edu[.]co/doc/ |
Government Domain by Country
Domains belonging to the governments of over 20 different countries were identified. Although there were over 20 different countries, the top 7 most frequently abused country-specific government domains accounted for 75% of all .gov domains abused in phishing campaigns. The remaining 16 countries individually made up less than 4% of the .gov domains abused in phishing campaigns. Figure 2 breaks down the top government domains seen by country based on domain usage in campaigns. Brazil is the clear leader, making up more than the next 3 highest ranking countries combined. However, out of the abused .gov.br domains, the most common 3 made up 65% of the abused .gov.br domains, making it possible that rather than .gov.br being abused the most frequently, in fact, a small number of .gov.br domains were abused more often.
Although it might be tempting to take these results as a barometer of how effective a given country’s efforts are at defending its infrastructure, it is important to note that this data may also be affected by other factors such as software used (i.e. Liferay), threat actor interest, and purpose for which the compromised domains are used (this report specifically does not cover .gov domains used as spoofed or compromised sender email addresses).
Figure 2: Government domains abused by country based on the frequency of URLs.
When only unique domains are factored in and domains that host multiple different paths are ignored, the graph, as shown in Figure 3, looks similar, with Brazil still in the lead by a significant amount. However, Vietnam was replaced by the Philippines, indicating that several Vietnamese government domains may have been abused multiple times, while the Philippines government domains may have had more unique domains abused.
Figure 3: Government domains abused by country based on unique domains.
No relationship between the language of the campaign and the country of the .gov domain was found. This indicates that threat actors likely do not start with a .gov domain and generate an email around it. Instead, they likely generate a campaign and then either attempt to find trusted domains to use in the campaign or simply buy access to compromised or abused domains in bulk.
C2
Threat actors most frequently abuse .gov domains to act as open redirects to malicious sites; however, some compromised government email addresses have been used as C2s by Agent Tesla Keylogger and StormKitty in mid-2023 and early 2024. The fact that only two email addresses were compromised and used as C2s by malware could be seen as an encouraging sign that many governments are careful with their email security.
Table 2: Two .gov domain email addresses used as C2s.
Compromised Email Address | Malware Family | Relevant ATR |
ee[.]sylhet[@]dphe[.]gov[.]bd | Agent Tesla Keylogger, StormKitty | |
schedule-iv[.]hta[@]kp[.]gov[.]pk | Agent Tesla Keylogger |