- Cofense's report finds Phishing threat actors that abuse higher level domains (TLDs)
- A significant number of .gov domains are used in open redirection attacks
- Brazil is the leader in .gov domain abuse.
Cybercriminals are exploiting websites and domain services of the legitimate government, particularly those with higher level domains (TLD) .gov, experts have warned.
A report by experts in cybersecurity Cofense Intelligence states that TLD are being used for a wide variety of disastrous ends, from credential phishing to command and control operations (C2).
The document establishes between November 2022 and November 2024, the threat actors took advantage of vulnerabilities in the .gov domains of more than 20 countries.
Phishing credential
One of the things for which domains are used are open redirections, which became a key method to avoid secure email bond doors (SEG).
Open redirections occur when a web application does not allow a user -controlled entry to direct traffic to an external site, which threat actors can manipulate. Using this tactic, the attackers can redirect the unsuspecting victims of legitimate websites of .gov to fraudulent pages.
In the United States, the .GOV domains are among the most frequently exploited for these redirects, with more than 77% of attacks that take advantage of specific vulnerability linked to the “nosuchentredirect” parameter. This vulnerability, identified as CVE-2024-25608, impacts platforms such as Lifey, widely used by government organizations. Although the .Gov domains based in the US.
The credential phishing remains the most common form of abuse linked to .gov domains, explains the document. Most government domains used in phishing attacks housed up to nine different files in several campaigns. These phishing attempts often imitate legitimate services such as Microsoft, with emails designed to seem that they are sent from sources of trust.
The report also indicates the abuse of .gov domains for phishing and the redirection of credentials to malicious sites in several countries. Brazil, in particular, stands out as the most directed country, which represents most of the abuse in .gov domains. However, a small number of domains within Brazil were responsible for most of these abuses, hinting that the attackers focused on a handful of important government websites.