- Revolutionizing data management: Trends driving security, scalability, and governance in 2025
- Microsoft AI investments cause cloud operating income growth to plunge
- This is the SSD enclosure I trust to keep my storage drive safe and cool when traveling
- Have a .gov email address? You can get Perplexity Pro free for a year - here's now
- Mistral AI says its Small 3 model is a local, open-source alternative to GPT-4o mini
Threat Actors Exploit Government Websites for Phishing
Cybercriminals have been increasingly exploiting government website vulnerabilities to conduct phishing campaigns.
New research by Cofense Intelligence, analyzing data from November 2022 to November 2024, showed how malicious actors abuse .gov top-level domains (TLDs) across multiple countries.
According to the new data, threat actors often leveraged legitimate domains to host credential phishing pages, serve as command-and-control (C2) servers or redirect victims to malicious sites. While .gov domains were abused less frequently than others, they remained a target due to users’ inherent trust in government websites.
Open Redirect Exploitation
One common tactic cybercriminals employ is an open redirect, where a website forwards users to an external site without proper validation.
Cofense Intelligence found that various .gov domains were primarily used for credential phishing, with some hosting up to nine different phishing campaigns. A larger pool of government domains, however, were used as open redirects to bypass secure email gateways (SEGs). Many victims clicked on .gov URLs without realizing they would be redirected to malicious sites.
Nearly 60% of abused .gov domains contained “noSuchEntryRedirect” in their URL paths, suggesting links to a vulnerability in the Liferay digital platform widely used by government organizations (CVE-2024-25608).
US Government Domains Among Targets
Although US-based .gov domains accounted for only 9% of the total abused domains, they were the third most targeted globally. All observed cases involved open redirects, with 77% containing the “noSuchEntryRedirect” element.
Phishing emails using compromised US government domains primarily mimicked Microsoft services, often requesting victims to sign agreements. These campaigns successfully bypassed major SEGs, including Microsoft ATP, Proofpoint, Cisco IronPort, Symantec MessageLabs and Mimecast.
Global Trends in Government Domain Exploitation
Over 20 countries had government domains targeted by phishing campaigns. The top seven countries accounted for 75% of the abuse, with Brazil leading the list, followed by Colombia and the US. Notably, a few Brazilian .gov domains contributed to most of the country’s cases, suggesting repeated exploitation of specific sites rather than widespread vulnerabilities.
Cybercriminals appear to design their campaigns first, then seek out trusted government domains to integrate into their phishing strategies. This method suggests a deliberate approach to maximize the effectiveness of their attacks.
Command-and-Control Use Cases
Beyond open redirects, some compromised government email addresses were used as C2 servers for malware, such as Agent Tesla Keylogger and StormKitty. Cofense Intelligence identified two such cases in mid-2023 and early 2024.
While only a small number of email addresses were compromised in this way, the report underscores the need for ongoing vigilance in securing government digital infrastructure.
Mitigation Recommendations
To protect against such threats:
- Government agencies should implement stricter validation processes to prevent open redirects
- Organizations must regularly update and patch software vulnerabilities like CVE-2024-25608
- Organizations and individuals should increase awareness and training to help mitigate risks associated with phishing campaigns
As cyber-threats continue to evolve, securing government websites against exploitation remains critical to protecting users from phishing attacks.
