Vermont .Gov Website Blamed for Spam

State Isn't Rushing to Disable Code that Allows Spamming
Vermont .Gov Website Blamed for Spam

The head of Vermont's Department of Labor says the state isn't taking any immediate action to disable code in its computers that allowed spammers last week to send unwanted e-mails that appeared to come from the U.S. federal government and were sent to tens of thousands of consumers.

See Also: Maintain a Clear Bill of (Third-Party Risk) Health

The federal government uses the URL shortening service to create short URLs for .gov (federal, state and local civilian agencies) and .mil (military) web addresses. The shortened URLs use the domain extension, which appeared in the spam message. The URL is designed only to redirect users to .gov and .mil websites.

In most instances, governments disable what's called open redirect to prevent redirected messages to be sent to or addresses. However, Vermont did not disable open redirect for its site, and that allowed spammers to exploit it, resulting in the unsolicited e-mails being sent to unsuspecting consumers, Eric Park, an analyst with IT security provider says in a blog posting.

New Website Seen Alleviating Problem

Vermont Labor Commissioner Annie Noonan, in a telephone interview, says the state is in the processes of replacing the Labor Department's antiquated website, which could occur within weeks, and suggests the problem will vanish when the new website becomes active. Noonan says the state didn't take immediate action to disable open redirect because no real damage - which she defines as the unauthorized release of confidential and/or personally identifiable information - occurred. "If there's a reason we need to pull it quicker, we can, but no one is advising that we have to do that," she says.

Noonan, who describes herself as "the biggest Luddite in the building," didn't directly answer the question why state IT security personnel didn't disable the open redirect code. She repeatedly referred to taking down the legacy website as the way to remediate the problem. "You're asking me questions above my technical expertise," she says.

Over a seven-day period ended Oct. 18, the spam received 43,049 clicks that took users to a work-at-home scam website designed to look like a financial news network site, says Symantec's Park, who identified the spam website as He also says nine other spam websites, all starting with the word consumer, were tied to the spam message.

According to Park, on Oct. 18, 15 percent of all URL clicks took users to the spam websites.

A Worrisome Tactic

"While taking advantage of URL shorteners or an open-redirect vulnerability is not a new tactic, the fact that spammers can utilize a .gov service to make their own links is worrisome," Park says.

In a follow-up telephone interview, Park says he sees no business reason to have open redirect enabled. Still, eliminating open redirect won't stop spam, he says, yet in this case, the spam seems more legitimate because where is appeared to come from: the federal government.

"For recipients who don't have much knowledge, the (.gov address) has a little more credibility, it sounds more legitimate; it's not .com, .net or .biz," Park says. "It kind of created the perception that it's a little bit more legitimate than what it really is, and that's the problem."

And, he says, one that can be stopped by disabling open redirect.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.