Shortened '.Gov' Links Lead to Scam Sites
The ".gov" suffix that denotes URLs run by United States federal government agencies is more trusted than any ".com" or ".net" suffix will ever be, but maybe that shouldn't be the case.
The U.S. government's attempt to jump on the latest Internet trend of link wrapping — creating shorter URLs that redirect to the original page — has been marred by scammers, who've taken advantage of flawed code in order to redirect customers to pages promoting get-rich-quick schemes.
Earlier this year, the federal government teamed up with link-wrapping site bitly.com to create 1.usa.gov, the government's very own link-shortener, which is similar to TinyURL and Twitter's own "t.co" domain.
Through these services, Internet users can take any long link and shorten it for use on Twitter or in another space where link length is important.
The drawback to wrapped links, though, is that they obscure what's on the other side. That's exactly what scammers are counting on: driving traffic to dubious sites by way of legitimate-looking links.
Between Oct. 12 and Oct. 18, more than 43,000 redirects were made to spam sites, accounting for more than 15 percent of all 1.usa.gov traffic. The problem lies with the practice of "open redirects," which diverts traffic to the new destination link without first validating the site's authenticity.
Victims of this scam are taken to a page dressed as a news story about a mom earning a ridiculous amount of money for doing next-to-nothing at home, part-time. Sound familiar?
Using wrapped links to divert traffic to scam sites is nothing new, Symantec points out, but the new danger here is the use of state-sponsored domains in order to dupe victims and commit fraud.
This scam is successful, in part, because the criminals are using a top-level domain suffix that, until now, Internet users hadn't had a reason to mistrust.
Internet denizens should remain skeptical toward any link they're about to open or site they visit, no matter how trustworthy it may seem. Even links that appear to come from the government may not be real, and the same applies to links from friends and from other trusted organizations.
Online, identities are all but impossible to confirm, a fact that all too often results in headaches and heartbreak for victims.
Follow Ben on Twitter @benkwx.