Criminals are abusing top-level government domains across multiple countries


  • Cofense report finds phishing threat actors abusing top-level domains (TLDs)
  • A significant number of .gov domains are used in open redirect attacks
  • Brazil is the leader in .gov domain abuse

Cybercriminals are exploiting legitimate government websites and domain services, particularly those with .gov top-level domains (TLD), experts have warned.

A report from cybersecurity experts Cofense Intelligence claims TLDs are being used for a wide variety of nefarious purposes, from credential phishing to command & control (C2) operations.

The paper states between November 2022 and November 2024, threat actors took advantage of vulnerabilities in .gov domains from over 20 countries.

Credential phishing

One of the things the domains are used for is open redirects, which became a key method for bypassing secure email gateways (SEGs).

Open redirects occur when a web application unintentionally allows a user-controlled input to direct traffic to an external site, which threat actors can manipulate. Using this tactic, attackers can redirect unsuspecting victims from legitimate .gov websites to fraudulent pages.

In the United States, .gov domains are among the most frequently exploited for these redirects, with more than 77% of attacks leveraging a specific vulnerability tied to the "noSuchEntryRedirect" parameter. This vulnerability, identified as CVE-2024-25608, impacts platforms like Liferay, widely used by governmental organizations. Although U.S.-based .gov domains made up only 9% of all .gov domains abused, they ranked third in overall usage.

Credential phishing remains the most common form of abuse tied to .gov domains, the paper explains. The majority of government domains used in phishing attacks hosted up to nine different files across various campaigns. These phishing attempts often mimic legitimate services such as Microsoft, with emails designed to appear as though they are sent from trusted sources.

The report also notes the abuse of .gov domains for credential phishing and redirection to malicious sites was seen across several countries. Brazil, in particular, stands out as the most targeted country, accounting for the bulk of abuse in .gov domains. However, a small number of domains within Brazil were responsible for the majority of these abuses, hinting that the attackers were focused on a handful of important government websites.

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Russian flag on a laptop
Hackers are using Russian domains to launch complex document-based phishing attacks
Flags of Iran, China, Russia and North Korea on a wall. China North Korea Iran Russia alliance
Cybercrime is helping fund rogue nations across the world - and it's only going to get worse, Google warns
Hook on Keyboard
Fake DocuSign and HubSpot phishing emails target 20,000 Microsoft Azure accounts
Fraude en ligne phishing
Phishing clicks nearly tripled in 2024 as criminals aim for smarter attacks
Hacker Typing
This devious two-step phishing campaign uses Microsoft tools to bypass email security
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
Latest in Security
An American flag flying outside the US Capitol building against a blue sky
The FCC is creating a security council to bolster US defenses against cyberattacks
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Passwordless authentication continues to grow, with biometrics helping push adoption
Data leak
Hacked Tata Technologies data leaked by ransomware gang
Latest in News
DeepSeek on an iPhone
OpenAI calls on US government to ban DeepSeek, calling it ‘state-subsidized’ and ‘state-controlled’
Stress
Complexity of IT systems could be increasing security risks for businesses
Warhammer 40,000: Space Marine 3
Warhammer 40,000: Space Marine 3 enters development as team promises to support Space Marine 2 'with exciting content and regular updates in the coming years'
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
CEOs think they might lose their jobs if they can't deliver on AI
Tony Hawk's Pro Skater 3+4
From Ace of Spades to Them Bones, Tony Hawk's Pro Skater 3+4's soundtrack is already looking excellent
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
AMD describes its recent RDNA 4 GPU launch as 'unprecedented' and promises restocking the Radeon RX 9070 XT as 'priority number one'