Vermont .Gov Website Blamed for SpamState Isn't Rushing to Disable Code that Allows Spamming
The head of Vermont's Department of Labor says the state isn't taking any immediate action to disable code in its computers that allowed spammers last week to send unwanted e-mails that appeared to come from the U.S. federal government and were sent to tens of thousands of consumers.
The federal government uses the URL shortening service bit.ly to create short URLs for .gov (federal, state and local civilian agencies) and .mil (military) web addresses. The shortened URLs use the 1.USA.gov domain extension, which appeared in the spam message. The 1.USA.gov URL is designed only to redirect users to .gov and .mil websites.
In most instances, governments disable what's called open redirect to prevent redirected messages to be sent to non-.gov or non-.mil addresses. However, Vermont did not disable open redirect for its labor.vermont.gov site, and that allowed spammers to exploit it, resulting in the unsolicited e-mails being sent to unsuspecting consumers, Eric Park, an analyst with IT security provider says in a blog posting.
New Website Seen Alleviating Problem
Vermont Labor Commissioner Annie Noonan, in a telephone interview, says the state is in the processes of replacing the Labor Department's antiquated website, which could occur within weeks, and suggests the problem will vanish when the new website becomes active. Noonan says the state didn't take immediate action to disable open redirect because no real damage - which she defines as the unauthorized release of confidential and/or personally identifiable information - occurred. "If there's a reason we need to pull it quicker, we can, but no one is advising that we have to do that," she says.
Noonan, who describes herself as "the biggest Luddite in the building," didn't directly answer the question why state IT security personnel didn't disable the open redirect code. She repeatedly referred to taking down the legacy labor.vermont.gov website as the way to remediate the problem. "You're asking me questions above my technical expertise," she says.
Over a seven-day period ended Oct. 18, the spam received 43,049 clicks that took users to a work-at-home scam website designed to look like a financial news network site, says Symantec's Park, who identified the spam website as workforprofit.net. He also says nine other spam websites, all starting with the word consumer, were tied to the 1-USA.gov spam message.According to Park, on Oct. 18, 15 percent of all 1.USA.gov URL clicks took users to the spam websites.
A Worrisome Tactic
"While taking advantage of URL shorteners or an open-redirect vulnerability is not a new tactic, the fact that spammers can utilize a .gov service to make their own links is worrisome," Park says.
In a follow-up telephone interview, Park says he sees no business reason to have open redirect enabled. Still, eliminating open redirect won't stop spam, he says, yet in this case, the spam seems more legitimate because where is appeared to come from: the federal government.
"For recipients who don't have much knowledge, the (.gov address) has a little more credibility, it sounds more legitimate; it's not .com, .net or .biz," Park says. "It kind of created the perception that it's a little bit more legitimate than what it really is, and that's the problem."
And, he says, one that can be stopped by disabling open redirect.