Security glitch aids IRS phishers
Flaw in GovBenefits.gov domain exploited
IDG News Service - The U.S. Department of Labor said Wednesday it is working to fix a programming glitch in a U.S. government Web portal that makes it easier for phishers to trick people into disclosing sensitive information. The flaw was first exploited by phishers who earlier this week began sending out bogus e-mail messages asking for personal information, including social security and credit card numbers.
The bug lets these phishers redirect URLs that use the GovBenefits.gov domain to fraudulent Web sites that are unconnected with the U.S. government.
This redirecting flaw was first exploited just days ago by phishers masquerading as the Internal Revenue Service, said Graham Cluley, a senior technology consultant at Sophos PLC, a U.K. security firm that has been researching the matter.
"The people behind GovBenefits.gov have implemented their software in such a way that leaves the Web site vulnerable to a phishing attack," he said. The technique is particularly effective because the link that users click on is, in fact, a genuine GovBenefits.gov link, he added.
The fraudulent e-mail claims to require the sensitive information in order to process a tax refund, and claims to come from email@example.com, the IRS said.
The GovBenefits.gov Web site is used by 16 federal agencies, including the IRS, and is designed to help users determine their eligibility for government-funded benefit and assistance programs. It is maintained by the Department of Labor.
Though the site's redirect glitch is not common, Sophos has seen it before, usually made by programmers looking for a flexible way to move users around their Web sites, Cluley said. "It's a simple mistake to make, until you realize the consequences," he said. "They probably didn't see how it could be used."
The Department of Labor was working to fix the glitch yesterday, a spokeswoman said.
Meanwhile, the IRS published a statement yesterday, warning users of the scam. "What we want people to know is if you get an unsolicited e-mail that purports to be from the IRS and it's asking for personal information, that's bogus," said Eric Smith, an IRS spokesman. "We're not going to request that you provide this kind of information by e-mail."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts