At first glance, a page on the Health and Human Services (HHS) website seems to be giving that agency's official advice on the "The Health Benefits of Nootropics," a classification of purportedly memory-enhancing drugs. The page is found on the website's subdomain of the Assistant Secretary for Planning and Evaluation (ASPE) as part of the Health System Measurement Project. The page contains the official logo of HHS, the domain in the URL ends with the legitimate HHS address containing "hhs.gov," and the "https://" indicates the connection is even a secure one. Further down the page, there is even a link to a website selling related products. A partial screenshot of the profile page at HHS.gov appears as follows:
Similar pages on the site offer information and counsel on shampoo, surgery, and health issues suffered by computer users. However, in spite of all the apparently reassuring elements and features of these pages, Health and Human Services had nothing to do with their creation or content, and does not recommend or endorse either the information or the linked products.
Nevertheless, while the pages are not official HHS information, neither are they technically cases of hacking. Rather, the creators have exploited a weakness in the "open data" system used by dozens of government websites. The platform was developed by a company called Socrata. The system allows users to create profiles and then manipulate data tables that various governments (federal, state, local) host on their websites. The results can be shared with others for statistical analysis, research, and other purposes, as some users have done. However, in cases like the ones above, a profile page itself can be used to promote a product or information in a way that gives viewers the impression that the host government entity approves or even endorses. A legitimate looking link could even be included in an email to direct recipients to what they may easily perceive as government-provided information.
We first reported this vulnerability in January when some Internet marketers had created profiles at data.healthcare.gov, the federal government's Obamacare website. At the time, David Kennedy, the CEO of TrustedSec, an information security firm, remarked that the opening could allow scammers to fool users with a "website that’s legitimate to make them believe its something else," and that "an attacker can basically create a functioning website and host any content they want there and under the umbrella of healthcare.gov." Within a day after the story ran, Healthcare.gov disabled public access to profiles created for its data site.
Use of the profiles can be especially effective since the profiles contain no disclaimers that the government entity does not endorse the content, and there are no warnings when clicking on links that "you are now leaving the website for an external site," a common warning on government sites.