You Can’t Always Trust a Dot-Gov Domain



dotgovIt may be easier than one thinks to register a dot-gov domain, according to KrebsOnSecurity. People have tended to regard urls with the top-level domain dot gov as generally reliable, but this may need to change.

KrebsOnSecurity says it “received an email from a researcher who said he got a .gov domain simply by filling out and emailing an online form, grabbing some letterhead off the homepage of a small U.S. town that only has a ‘.us’ domain name, and impersonating the town’s mayor in the application.” The US General Services Administration (GSA) is responsible for managing dot gov top-level domain registration, and the experimenter received the domain he asked for. The researcher chose Exeter, Rhode Island, for the “thought experiment,” and it appears that the US General Services Administration (GSA) did not contact the town to verify that the request came from them until some days after KrebsOnSecurity informed the GSA that they may have a problem.

We are accustomed to seeing government offices and agencies impersonated with a plausible name that comes with a dot-com top-level domain. A famous one about a decade ago was whitehouse dot com, which led to an adult site, and not to the President of the United States, whose domain of course is whitehouse dot gov. The giveaway in that case was the dot com top-level domain. But the experiment KrebsOnSecurity reports suggests that it may be disturbingly easy to spoof a dot gov domain: it appears that, at the time of the posting, houston.gov, losangeles.gov, newyorkcity.gov, and philadelphia.gov were all available.

Both GSA and the Cybersecurity and Infrastructure Security Agency (CISA) are investigating, and looking into ways of tightening domain registration. We urge everyone not to attempt this kind of experiment on their own, since it amounts to wire fraud, but the incident should open our eyes to fresh possibilities of social engineering. As fraudsters advance in cunning and ingenuity, new-school security awareness training becomes even more important to arm your employees with the healthy skepticism every organization needs to stay safe.

KrebsOnSecurity has the story: https://krebsonsecurity.com/2019/11/its-way-too-easy-to-get-a-gov-domain-name/


Discover dangerous look-alike domains that could be used against you!

Our Domain Doppelgänger tool makes it easy for you to identify your potential “evil domain twins” and combines the search, discovery, reporting, and risk indicators, so you can take action now.

DomainDoppelgangerResultsBetter yet, with these results you can now generate an online assessment test to see what your users are able to recognize as “safe” domains for your organization. You then receive a summary of the test results to understand how security-aware your users are when it comes to identifying potentially fraudulent or phishy domains.

With Domain Doppelgänger, you can:

  • Search for existing and potential look-alike domains
  • Get a report with aggregated results that includes risk indicators, and
  • Generate an online “domain safety” quiz based on the results to administer to your end users

This is a complimentary tool and will take only a few minutes.

Domain Doppelgänger helps you find the threat before it is used against you.

Find your look-alike domains here:

Find Your Look-Alike Domains!

Don't like to click on redirected buttons? Copy & paste this link into your browser:

https://www.knowbe4.com/domain-doppelganger

Subscribe To Our Blog


Traditional Security Webinar Kevin Mitnick




Get the latest about social engineering

Subscribe to CyberheistNews