Some U.S. Government Websites Vulnerable to Spammy Redirects

Spammers take advantage of job-seekers desperate for work.

Not government sanctioned.

Many Americans may instinctively believe there’s little risk in visiting any site that ends with .gov. It’s the government–their sites are secure, right? Apparently not.

Sign Up For Our Daily Newsletter

By clicking submit, you agree to our <a href="">terms of service</a> and acknowledge we may use your information to send you emails, product samples, and promotions on this website and other properties. You can opt out anytime.

See all of our newsletters

Sophos’s NakedSecurity blog reports that spammers have discovered many U.S. sites are vulnerable to a simple exploit that sends the unwary to fake “work-at-home” websites.

The culprit is sloppy coding, which permits something called an open redirect. NakedSecurity demonstrated the ease with which a spammer can construct an open redirect:

In the following example, the link ends up at Naked Security:

In that example, just looking at the link means it’s easy to tell that you are going to end up at Naked Security. But what if you shortened the link with a URL-shortener such as

Then you can provide a link which looks like

It’s not so easy to tell that it’s going to end up at Naked Security now, is it?

No, it is not.

Spammers use this exploit to send the unwitting to ludicrous sites claiming to offer opportunities to work from home and earn as much as “$7,000 a month, part-time!”

NakedSecurity reports that the Americans targeted in this con are “the most likely” to fall for it.

Though this spam attack is relatively new, some URL shrinking services like are already warning users away from the spam sites.

Researchers haven’t detected malware associated with the fake work-at-home con yet, but as it continues to draw people who are desperate to believe such an opportunity is real, it’s only a matter of time before the exploit doubles down and starts conscripting computers into some zombie horde of botnets or begins stealing vital personal and financial information.

The usual advice about remaining skeptical of unsolicited emails applies here as well, especially if they have attachments. Also, don’t trust anything just because the government appears to be involved.

Some U.S. Government Websites Vulnerable to Spammy Redirects