The Commonwealth of Virginia took down two old websites on Friday after discovering hackers had gained administrative access and attempted to turn them into scam e-book stores. Dave Maass, a researcher at the Electronic Frontier Foundation who discovered the hack, said it’s the latest known instance of a fairly common grift in which bad actors use the cover of legitimate-looking government websites for nefarious purposes.
According to Motherboard, which reported the news first, the hacked subdomains were vwn.virginia.gov and crc.virginia.gov, which were built in 2007 and 2009, respectively. The scam’s exact blueprint remains unclear but security researchers have speculated that the stores may have been placeholders before malware could be deployed or that hackers were attempting to use e-books as bait to gather users’ payment information.
“Welcome to your friendly neighborhood library. We have more than 50,000 free ebooks waiting to be discovered,” one of the website’s storefronts read. “Join 150,000+ fellow readers. Get free and discounted bestsellers straight to your inbox with the ManyBooks eBook deals newsletter.”
Maass speculated that those subdomains were likely spotted by a bot searching for outdated Nginx web server software.
“In the same way that government agencies often get ransomware attacks, it may not be because they’re the government, but because there is an exploit on the system that they’re using,” Maass told StateScoop.
Neither the Virginia Information Technology Agency nor Gov. Ralph Northam’s office responded to requests for more information on plans to remediate the vulnerability. According to Motherboard, VITA will conduct an audit of the Virginia.gov domain to ensure it is not responsible for any other compromised websites.
But the problem isn’t limited to Virginia, Maass said. Beyond exploiting a software vulnerability, potential hackers can easily launch their own .gov domains by faking their personal identities during the application process, which is managed by the General Services Administration.
In a similar intrusion in 2018, hackers exploited a vulnerability in the software behind Amberalert.gov to redirect users to pornographic websites. Maass said there are likely other similar cases that go unnoticed every day because government agencies aren’t as motivated to patch outdated software as profit-driven organizations in the private sector. And because .gov domains appear legitimate, they’re a desirable target for phishing scammers, he added.
“It’s probably a very valuable target because if you were to be using phishing links, being able to use a .gov link would lend a lot of authenticity to your sketchy URL,” Maass said. “If you got on Google and spent a little bit of time messing with particular search terms in the .gov subdomain, and you had time to do it, you’d probably find a whole bunch more.”