Introduction
Cybercriminals are increasingly targeting government websites [5], particularly those with gov top-level domains (TLDs) [3], to conduct phishing campaigns and distribute malware [5]. These trusted domains are exploited to host credential phishing pages, serve as command-and-control (C2) servers [2] [3] [4] [5] [6], or redirect victims to malicious sites [3] [6]. Despite being less frequently attacked than other domains, gov domains remain attractive due to the inherent trust users place in government websites [3] [6].
Description
Cybercriminals are increasingly exploiting vulnerabilities in government websites [3] [6], particularly those with gov top-level domains (TLDs) [3], to conduct phishing campaigns and distribute malware across various countries [5]. Research indicates that threat actors often utilize these trusted domains to host credential phishing pages [3] [6], serve as command-and-control (C2) servers [2] [3] [4] [5] [6], or redirect victims to malicious sites [3] [6]. Although attacks on gov domains are less frequent than on other domains [5], they remain attractive targets due to the inherent trust users place in government websites [3] [6].
A prevalent tactic among these actors is the exploitation of open redirects, which allow web applications to forward users to external sites without proper validation [3]. Nearly 60% of the abused gov domains have been identified as exhibiting this vulnerability, with many hosting multiple phishing campaigns [3] [6]. Specifically, many of these domains contained the “noSuchEntryRedirect” element in their URL paths [3], indicating a vulnerability in the Liferay digital platform (CVE-2024-25608) [3] [6]. This exploitation enables cybercriminals to bypass secure email gateways (SEGs) and deceive users, leading them to malicious sites without their knowledge [3].
While US-based gov domains account for only 9% of the total abused domains [3] [6], they rank as the third most targeted globally. All observed cases involved open redirects [3], with a significant percentage containing the “noSuchEntryRedirect” element. Phishing emails using compromised US government domains often mimic Microsoft services [3] [6], requesting victims to sign agreements [3], and have successfully bypassed major SEGs [2] [3], including Microsoft ATP [3], Proofpoint [3] [6], Cisco IronPort [3], Symantec MessageLabs [3], and Mimecast [3].
Globally [3] [4] [6], over 20 countries have had government domains targeted by phishing campaigns [3] [6], with Brazil [4] [6], Colombia [3] [5] [6], and the US being the most affected [6]. Brazil leads in the number of compromised domains [2] [4], with specific gov.br domains disproportionately targeted [2]. This suggests a pattern of repeated exploitation of certain sites rather than widespread vulnerabilities [3], indicating a strategic approach by cybercriminals to maximize the effectiveness of their attacks [6].
In addition to open redirects [3] [4] [6], some compromised government email addresses have been used as C2 servers for malware [1] [2] [3] [4] [6], including Agent Tesla Keylogger and StormKitty [1] [2] [3] [4] [5] [6]. Although the number of compromised email addresses is small [3], this highlights the ongoing need for vigilance in securing government digital infrastructure [3] [6]. To mitigate these threats [5], experts recommend implementing stricter validation processes [5], regular software updates [5], and raising awareness about phishing risks [5]. Continuous monitoring of government domains for unusual activity is essential to identify and address vulnerabilities in real time [5], thereby reducing the risks associated with these sophisticated phishing campaigns [5].
Conclusion
The exploitation of government websites by cybercriminals poses significant risks, as these sites are trusted by users. The use of open redirects and compromised email addresses for phishing and malware distribution highlights the need for enhanced security measures. Implementing stricter validation processes [5], regular software updates [5], and raising awareness about phishing risks are crucial steps in mitigating these threats. Continuous monitoring of government domains is essential to identify and address vulnerabilities in real time [5], thereby reducing the risks associated with these sophisticated phishing campaigns [5]. As cyber threats evolve [3], maintaining robust security protocols will be vital in safeguarding government digital infrastructure.
References
[1] https://blog.netmanageit.com/threat-actors-exploit-government-website-vulnerabilities-for-phishing-campaigns/
[2] https://securityboulevard.com/2025/01/threat-actors-exploit-government-website-vulnerabilities-for-phishing-campaigns/
[3] https://ciso2ciso.com/threat-actors-exploit-government-websites-for-phishing-source-www-infosecurity-magazine-com/
[4] https://cofense.com/blog/threat-actors-exploit-government-website-vulnerabilities-for-phishing-campaigns
[5] https://undercodenews.com/cybercriminals-exploit-government-domains-for-phishing-campaigns-a-growing-threat/
[6] https://www.infosecurity-magazine.com/news/threat-actors-exploit-gov-websites/
