Criminals are abusing top-level government domains across multiple countries

Cofense report finds phishing threat actors abusing top-level domains (TLDs)
A significant number of .gov domains are used in open redirect attacks
Brazil is the leader in .gov domain abuse

Cybercriminals are exploiting legitimate government websites and domain services, particularly those with .gov top-level domains (TLD), experts have warned.

A report from cybersecurity experts Cofense Intelligence claims TLDs are being used for a wide variety of nefarious purposes, from credential phishing to command & control (C2) operations.

The paper states between November 2022 and November 2024, threat actors took advantage of vulnerabilities in .gov domains from over 20 countries.

Credential phishing

One of the things the domains are used for is open redirects, which became a key method for bypassing secure email gateways (SEGs).

Open redirects occur when a web application unintentionally allows a user-controlled input to direct traffic to an external site, which threat actors can manipulate. Using this tactic, attackers can redirect unsuspecting victims from legitimate .gov websites to fraudulent pages.

In the United States, .gov domains are among the most frequently exploited for these redirects, with more than 77% of attacks leveraging a specific vulnerability tied to the "noSuchEntryRedirect" parameter. This vulnerability, identified as CVE-2024-25608, impacts platforms like Liferay, widely used by governmental organizations. Although U.S.-based .gov domains made up only 9% of all .gov domains abused, they ranked third in overall usage.

Credential phishing remains the most common form of abuse tied to .gov domains, the paper explains. The majority of government domains used in phishing attacks hosted up to nine different files across various campaigns. These phishing attempts often mimic legitimate services such as Microsoft, with emails designed to appear as though they are sent from trusted sources.

The report also notes the abuse of .gov domains for credential phishing and redirection to malicious sites was seen across several countries. Brazil, in particular, stands out as the most targeted country, accounting for the bulk of abuse in .gov domains. However, a small number of domains within Brazil were responsible for the majority of these abuses, hinting that the attackers were focused on a handful of important government websites.

New domain names such as .shop and .xyz are proving popular for cybercrime | TechRadar
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.