Trend Micro researchers last week discovered yet another government web compromise — this time using a domain owned by the Republic of Mali government.
The attack strategy here is not even that notable, given that we continue to see websites of all kinds being victimized by cyber criminals for all sorts of malicious means.
The legitimate website, which uses the domain essor.gov.ml normally looks like this:
Figure 1. Legitimate website.
Cyber criminals were able to compromise the Mali website, and by creating an additional HTML page on a subdomain, enabled them to insert the following PayPal phishing page:
Figure 2. Phishing website.
The motivation for cybercriminals to perform this operation appears not really to directly target Mali users and lure them into keying in their credentials on the phishing page. The advantage for the phishers is the free domain — free for them, at least, since the Mali government owns it and pays for it.
The bigger and more important implication that this threat highlights is the continuing problem of goverment-owned pages with regard to security. The threat listed above show the relative ease in which criminals are able to compromise these sites for their own respective gains.
Online security may not be a priority for governments when they set up these pages, but incidents like this, and possible future losses (think medical records and social security records) should be a warning to take Web site security seriously.
Users are warned to be careful of bogus and malicious pages, and to make sure that what’s in the address bar is the right domain name of the site they are accessing. The URL of the Mali website meanwhile is being blocked by Trend Micro Smart Protection Network until it is cleaned.