Threat Actors Exploit Government Websites for Phishing

Cybercriminals have been increasingly exploiting government website vulnerabilities to conduct phishing campaigns.

New research by Cofense Intelligence, analyzing data from November 2022 to November 2024, showed how malicious actors abuse .gov top-level domains (TLDs) across multiple countries.

According to the new data, threat actors often leveraged legitimate domains to host credential phishing pages, serve as command-and-control (C2) servers or redirect victims to malicious sites. While .gov domains were abused less frequently than others, they remained a target due to users’ inherent trust in government websites.

Open Redirect Exploitation

One common tactic cybercriminals employ is an open redirect, where a website forwards users to an external site without proper validation.

Cofense Intelligence found that various .gov domains were primarily used for credential phishing, with some hosting up to nine different phishing campaigns. A larger pool of government domains, however, were used as open redirects to bypass secure email gateways (SEGs). Many victims clicked on .gov URLs without realizing they would be redirected to malicious sites.

Nearly 60% of abused .gov domains contained “noSuchEntryRedirect” in their URL paths, suggesting links to a vulnerability in the Liferay digital platform widely used by government organizations (CVE-2024-25608). 

Read more on cybersecurity vulnerabilities and their impact on public infrastructure: Hackers Exploit Misconfigurations in Public Websites With Improperly Exposed AWS Credentials

US Government Domains Among Targets

Although US-based .gov domains accounted for only 9% of the total abused domains, they were the third most targeted globally. All observed cases involved open redirects, with 77% containing the “noSuchEntryRedirect” element.

Phishing emails using compromised US government domains primarily mimicked Microsoft services, often requesting victims to sign agreements. These campaigns successfully bypassed major SEGs, including Microsoft ATP, Proofpoint, Cisco IronPort, Symantec MessageLabs and Mimecast.

Global Trends in Government Domain Exploitation

Over 20 countries had government domains targeted by phishing campaigns. The top seven countries accounted for 75% of the abuse, with Brazil leading the list, followed by Colombia and the US. Notably, a few Brazilian .gov domains contributed to most of the country’s cases, suggesting repeated exploitation of specific sites rather than widespread vulnerabilities.

Cybercriminals appear to design their campaigns first, then seek out trusted government domains to integrate into their phishing strategies. This method suggests a deliberate approach to maximize the effectiveness of their attacks.

Command-and-Control Use Cases

Beyond open redirects, some compromised government email addresses were used as C2 servers for malware, such as Agent Tesla Keylogger and StormKitty. Cofense Intelligence identified two such cases in mid-2023 and early 2024.

While only a small number of email addresses were compromised in this way, the report underscores the need for ongoing vigilance in securing government digital infrastructure.

Mitigation Recommendations

To protect against such threats:

• Government agencies should implement stricter validation processes to prevent open redirects
• Organizations must regularly update and patch software vulnerabilities like CVE-2024-25608
• Organizations and individuals should increase awareness and training to help mitigate risks associated with phishing campaigns

As cyber-threats continue to evolve, securing government websites against exploitation remains critical to protecting users from phishing attacks.