Many Americans may instinctively believe there’s little risk in visiting any site that ends with .gov. It’s the government–their sites are secure, right? Apparently not.
Sophos’s NakedSecurity blog reports that spammers have discovered many U.S. sites are vulnerable to a simple exploit that sends the unwary to fake “work-at-home” websites.
The culprit is sloppy coding, which permits something called an open redirect. NakedSecurity demonstrated the ease with which a spammer can construct an open redirect:
In the following example, the link ends up at Naked Security:
http://labor.vermont.gov/LinkClick.aspx?link=http://nakedsecurity.sophos.com
In that example, just looking at the link means it’s easy to tell that you are going to end up at Naked Security. But what if you shortened the link with a URL-shortener such as bit.ly?
Then you can provide a link which looks like
http://1.usa.gov/OYCBM7
It’s not so easy to tell that it’s going to end up at Naked Security now, is it?
No, it is not.
Spammers use this exploit to send the unwitting to ludicrous sites claiming to offer opportunities to work from home and earn as much as “$7,000 a month, part-time!”
NakedSecurity reports that the Americans targeted in this con are “the most likely” to fall for it.
Though this spam attack is relatively new, some URL shrinking services like bit.ly are already warning users away from the spam sites.
Researchers haven’t detected malware associated with the fake work-at-home con yet, but as it continues to draw people who are desperate to believe such an opportunity is real, it’s only a matter of time before the exploit doubles down and starts conscripting computers into some zombie horde of botnets or begins stealing vital personal and financial information.
The usual advice about remaining skeptical of unsolicited emails applies here as well, especially if they have attachments. Also, don’t trust anything just because the government appears to be involved.