Research & Intelligence

U.S. Government Websites Abused in Ongoing Spam Campaign

spam govt websites


The Dell SecureWorks Counter Threat Unit™ (CTU) research team has become aware of an ongoing spam campaign abusing various .gov web properties to lure recipients to a home business scam. As part of the campaign, victims receive nonsensical emails with a link to one of several URL shorteners. The attackers use short links in many of the emails, though other shortening services and websites have been used in the same way.


The short URL service is run by the U.S. government, in partnership with When users submit a long URL to bitly that resides on a .gov or .mil top-level domain (TLD), they are given short links that use the domain rather than the bitly domain. This distinction is intended to make it "even easier for people to know when a short URL will direct them to a trustworthy official U.S. government site" [1]. However, malicious actors can abuse URL shorteners in combination with other attack techniques to direct users to malicious websites.

Many of the email messages involved in the ongoing spam campaign include links to short URLs. Evidence suggests that each short link is used in only a small number of messages before a new short link is created. This step limits the effectiveness of blacklisting or disabling any particular link.

Sample spam message
Figure 1. Sample spam message. (Source: Dell SecureWorks)

The short links expand to long links, which abuse open redirects on a number of .gov properties. CTU research indicates that the attackers are not targeting .gov sites specifically, but rather are looking for servers that expose a vulnerable version of DotNetNuke’s LinkClick.aspx. By exploiting an open-redirect vulnerability in this .aspx file, the attacker can direct traffic to a site under his control, while exposing only a short link in the initial message.

Example of open redirect use.
Figure 2. Example of open redirect use. (Source: Dell SecureWorks)

Figure 3 shows the domains hosting open redirects that have been abused as of the time of this publication.

Number of injected sites abusing each .gov redirector.
Figure 3. Number of injected sites abusing each .gov redirector. (Source: Dell SecureWorks)

Because provides real-time and historical logs of its click data [2], CTU researchers were able to effectively monitor the number of clicks, as well as the HTTP referer and victim User-Agent. The data suggests that email spam is the primary method for distributing the short links.

Overall use of open redirects on .gov websites has significantly increased since October 1, 2012, with destinations in the .net TLD accounting for the vast majority of instances (see Figure 4).

Usage of open redirects by TLD of landing page.
Figure 4. Usage of open redirects by TLD of landing page. (Source: Dell SecureWorks)

After victims are redirected through both the short link and the vulnerable .gov site, they are directed to one of the domains used in the scam. The following domains are being used at the time of this publication:


All of these domains resolve to a small number of IPs:

  • is registered to, located in Moscow, Russia
  • is registered to InMotion Hosting Inc, located in the U.S.

The malicious websites are designed to look like a CNBC news article (see Figure 5). Much of the page content is from legitimate servers.

Fake CNBC news article.
Figure 5. Fake CNBC news article. (Dell SecureWorks)

Several links on the website direct to another scam website, This website is hosted on, registered to Ecatel LTD in Amsterdam, Netherlands. scam site.
Figure 6. scam site. (Dell SecureWorks)

Despite the relatively unsophisticated lure, the click-through rate for the short links has been significant (see Figure 7).

Number of clicks to top landing domains between October 12 and October 16, 2012.
Figure 7. Number of clicks to top landing domains between October 12 and October 16, 2012. (Source: Dell SecureWorks)

While it seems the perpetrators are not targeting .gov sites specifically and are not using the government as a lure, the ability to generate short .gov links that lead users to malicious domains is concerning. If combined with a government-focused message, such as the common tax season phishing emails [3], this spam could lure even savvy users. Using open .gov redirects in phishing scams has precedent [4], and the availability of short links can be leveraged to make less suspicious URLs.


Users should exercise caution when dealing with unsolicited emails, especially if they include short links. To preview the short link page and see information such as the long URL, users can copy and paste the short link into the address bar of a browser window and append the "+" character. For example, becomes If the short link contains a "?", this character and anything following it must be removed before appending the "+". The long URL can then be inspected for any signs of redirection.

Preview of malicious short link.
Figure 8. Preview of malicious short link. (Source: Dell SecureWorks)

Despite the best intentions, short links seem to be ineffective at ensuring the ultimate destinations of the URLs are trustworthy government websites.


[1] team. "Introducing URLs." March 9, 2011.

[2] " Data." October 12, 2012.

[3] Dell SecureWorks Counter Threat Unit research team. "Tax Season Presents Opportunities for Scammers." February 3, 2008.

[4] Miller, Rich. "Phishers Exploit Open Redirect on U.S. Government Site." December 1, 2005.

Back to all Blogs

Additional Resources


See for yourself: Request your demo to see how Taegis can reduce risk, optimize existing security investments, and fill talent gaps.