Spammers start using short .gov URLs to trick their victims

Spammers start using short .gov URLs to trick their victims

Cybercriminals are increasingly using links in their spam campaigns to trick users into thinking the links lead to genuine US government Web sites. How are they pulling it off? It turns out this comes down to a simple loophole in links.

Here’s how short URLs are described by the US government:

Now, whenever anyone uses bitly to shorten a URL that ends in .gov or .mil, they will receive a short, trustworthy URL in return. To create a URL, simply go to, paste in a long .gov or .mil URL, and click shorten. There’s no need to log in.

As Symantec points out, however, spammers can use an open-redirect vulnerability to set up a URL which ends up taking the victim to a spam website. Therefore, something like…/Rxpfn9 takes you to[spam site] which then redirects you to the spam site in question.

From there, spammers can make the spam site look more legitimate by designing it to look like a government Web page. Any links included therein will of course lead to spam, or even worse, malware.

Since the Data Web page can let you know the number of clicks on a URL, Symantec could dig deeper into a recent spam campaign. The security company found that is a recent phenomenon: in the last week, over 43,049 clicks were made through shortened URLs to 10 spam domains. Unsurprisingly, most of them came from the US, according to the firm’s analysis:

In addition to volume, the data also provides some insight into the locations of the clicks. 36,664 of 43,049 spam clicks had a country code associated with them. There were 124 countries identified. The top four countries on a daily basis were the United States, Canada, Australia, and Great Britain. In aggregate, the United States made up the biggest slice with 61.7 percent of the clicks

This is a perfect example of why you should never blindly click on a link, even if it appears to be legitimate. If you can help it, only navigate to websites manually, and don’t click on links that are shared with you unless you absolutely know what they are.

Image credit: Martyn E. Jones

Read next: GitHub hit by DDoS attack second day in a row