Cyber Security News

Cybercriminals Hijack Government Sites to Lauch Phishing Attacks

Cybersecurity researchers have identified a persistent trend in which threat actors exploit vulnerabilities in government websites to further phishing campaigns.

Based on data spanning November 2022 through November 2024, malicious actors have misused numerous .gov top-level domains (TLDs) across more than 20 countries.

Exploitation of Legitimate .Gov Domains

While .gov domains are generally trusted by users, this trust is being exploited to host phishing pages, redirect victims to malicious links, or even serve as command and control (C2) servers.

Open redirects, a type of vulnerability where web applications redirect users to external, malicious destinations, play a central role in these cyber campaigns.

Exploited .gov domains are often embedded in phishing emails, allowing attackers to bypass secure email gateways (SEGs) that inherently trust government-linked domains.

Victims, unaware of the redirection, are lured into sharing sensitive credentials on phishing pages.

Role of Liferay Platforms

A significant portion of the abuse arises from open redirect exploits linked to CVE-2024-25608, a vulnerability in the widely used Liferay digital experience platform.

Nearly 60% of observed phishing campaigns involving .gov domains carried a “noSuchEntryRedirect” path indicative of this specific exploit.

Liferay’s adoption across multiple governmental organizations may have contributed to this extensive abuse.

The vulnerability allows attackers to redirect users to credential phishing pages or intermediary sites.

Although such vulnerabilities are not exclusive to government websites, their presence underscores the importance of vigilance among web developers.

According to the Cofense report, governments and organizations must prioritize patch management and security auditing to mitigate risks stemming from outdated or unpatched software.

While .gov domains affiliated with the United States accounted for only 9% of all exploited domains, they remain the third most-targeted globally.

All observed cases of U.S.-specific .gov domain abuse involved open redirects, primarily linked to CVE-2024-25608.

Microsoft-themed phishing campaigns were particularly prominent, often featuring emails impersonating legitimate entities and bypassing widely used SEGs such as Microsoft ATP, Cisco IronPort, and Proofpoint.

Statistical analysis reveals that the majority of abuse originates from a small subset of government domains.

For example, Brazilian .gov domains emerged as the most exploited, but the misuse was concentrated in a limited number of unique domains.

This pattern was consistent across other countries, suggesting targeted exploitation rather than widespread vulnerability.

In addition to redirect-based abuse, some compromised .gov domain email addresses have been repurposed as C2 infrastructure for malware, such as Agent Tesla Keylogger and StormKitty.

Despite these incidents, the frequency remains low, highlighting that governments may be taking steps to safeguard email systems.

The exploitation of .gov domains for phishing underscores the broader challenge of securing trusted digital infrastructure.

With government websites serving as high-value targets, sustained monitoring, timely patching, and security awareness at the organizational level are critical to mitigating risks.

As threat actors continue to innovate, collaborative efforts in cybersecurity will play a pivotal role in defending against evolving threats.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Cisco IOS, XE, and XR Vulnerability Allows Remote Device Reboots

 Cisco has issued an urgent security advisory (cisco-sa-twamp-kV4FHugn) warning of a critical vulnerability in its…

40 minutes ago

OpenCTI: Free Cyber Threat Intelligence Platform for Security Experts

OpenCTI (Open Cyber Threat Intelligence) stands out as a free, open source platform specifically designed…

1 hour ago

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber extortion…

4 hours ago

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers (WLCs),…

4 hours ago

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged…

19 hours ago

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks…

19 hours ago