The Blog

Senate, EPA, Treasury Websites Vulnerable to Phishing Scams

7:01 AM, Mar 10, 2014 • By JERYL BIER
Widget tooltip
Single Page Print Larger Text Smaller Text Alerts

The Senate's site is not the only government website vulnerable to this kind of exploitation.  A subdomain of the Treasury Department's website, publicdebt.treas.gov, has a similar problem.  While there is a more complete exit page provided, with a disclaimer ("You're going to a website that is not managed or controlled by the Bureau of the Public Debt. Its privacy policies may differ from ours."), the user is still bounced to the new site (again, using google.com as an example) with the apparent blessing of the Treasury:

A Google search suggests that this vulnerability does not exist simply in theory, but has been used either innocuously or maliciously already.  Here is a screenshot of a Google search as it existed on March 4:

Clicking on each of these links automatically transfers users, after eight seconds of the exit page, to a website not connected to or endorsed by the Bureau of the Public Debt of the Treasury Department, yet without a clear warning to indicate such.

Other vulnerable websites include biometrics.govfmcsa.dot.gov, and epa.gov.  Unvalidated redirects linked from these government websites include sites for pornography, weight-loss site, and even a Bible study.  Despite the obvious opening provided for phishing, no actual examples of linked phishing sites were found during the investigation for this story, although phishing attempts are often made via unsolicited mass emails.  In any case, David Kennedy of the information security company TrustedSec said that these unvalidated redirects are "definitely an exposure."

The House of Representatives is a good example of a government site that not only has a stronger disclaimer on its exit page, but disallows users from substituting a different web address in its exit URL.  For instance, Rep. Paul Ryan recently linked to a John McCormack piece at THE WEEKLY STANDARD.  The exit page informs users that they are leaving the House website, and users must manually click on the link before being redirected instead of the redirect happening automatically. Additionally, users are told that "Neither the House office whose site contains the above link, nor the U.S. House of Representatives is responsible for the content of the non-House site you are about to access."  Furthermore, an attempt to change the redirect address to a different site or page is met with a "File Not Found" error.

The unvalidated redirect exposure is an unsophisticated yet effective tool for scammers.  No hacking is required as the referring websites do not actually host any unauthorized pages, but the simplicity actually works to the advantage of potential scammers or those simply seeking to direct additional traffic to their websites.  On the upside, the simplicity also means a relatively simple fix at the affected websites.  But until more government websites follow the example of the House or the Centers for Medicare and Medicaid Services, the unvalidated redirect will remain a prime opportunity for marketers or scammers looking to trade on the authority and sense of security conferred by a connection to the federal government.

Recent Blog Posts

The Weekly Standard Archives

Browse 18 Years of the Weekly Standard

Old covers