Scammers published hacking service ads on US government websites

It’s no secret that over the past few years, threat actors have been ramping up their efforts to scam people of their hard-earned money and gain unauthorized access. However, according to a new report from cybersecurity researchers at Citizen Lab, scammers are now using PDF files to promote their online hacking services on various US government agency websites, including those of California, North Carolina, and New Hampshire, as well as on prominent university websites like UC Berkeley, Stanford, and Yale.

As per the report, the PDF files advertise a range of illicit services, including hacking into social media accounts like Instagram and Facebook, providing cheats for computer games, and generating fake followers. Moreover, these threat actors carefully crafted the PDFs to make the advertised services appear safe and legitimate. However, further investigation revealed that these hacks were fake, with the main objective being to attract users to compromised websites and delay them using a fake CAPTCHA mechanism, ultimately allowing the threat actors to profit.

How were the scammers able to advertise on government websites?

Interestingly, instead of directly hacking the websites, scammers took advantage of security vulnerabilities and misconfigurations in the content management systems (CMS) and other services used by the compromised websites to upload these PDFs. As a result, they were able to disguise their uploads as legitimate content.

“They show up when you have misconfigured services, unpatched CMS [content management system] bugs, and other security problems,” said senior researcher Scott-Railton.

Fortunately, the immediate damage from this campaign appears to be minimal, and the Cybersecurity and Infrastructure Security Agency (CISA) is actively collaborating with the affected entities and providing assistance to address the compromises. However, this incident raises serious concerns about security vulnerabilities within government and educational institutions. This is because people generally trust government websites, so if hackers had other nefarious intentions, the potential repercussions could have been massive. Therefore, organizations must remain vigilant, regularly patch and update their systems, and implement stringent security measures to protect against emerging threats.