Recently, a series of cyberattacks have been carried out by criminals targeting official websites of U.S. state, county, and local governments, federal agencies, universities, and various organizations. These cybercriminals have adopted deceptive tactics by publishing misleading advertisements that promote hacking services. To accomplish this, they uploaded PDF files containing these fraudulent ads onto official .gov websites. Among the affected state governments are California, North Carolina, New Hampshire, Ohio, Washington, and Wyoming. Additionally, the scam ads were found on websites belonging to St. Louis County in Minnesota, Franklin County in Ohio, Sussex County in Delaware, the town of Johns Creek in Georgia, and the federal Administration for Community Living.
Numerous universities were also targeted in this campaign, including UC Berkeley, Stanford, Yale, UC San Diego, University of Virginia, UC San Francisco, University of Colorado Denver, Metropolitan Community College, University of Washington, University of Pennsylvania, University of Texas Southwestern, Jackson State University, Hillsdale College, United Nations University, Lehigh University, Community Colleges of Spokane, Empire State University, Smithsonian Institution, Oregon State University, University of Buckingham in the U.K., and Universidad Del Norte in Colombia.
In addition to government and educational websites, the cybercriminals also victimized Spain's Red Cross, defense contractor Rockwell Collins (a subsidiary of Raytheon), and an Ireland-based tourism company.
The PDFs themselves contained links to various websites advertising hacking services, ranging from hacking Instagram, Facebook, and Snapchat accounts to cheating in video games and creating fake followers. It is worth noting that some of these PDFs seemed to have been available online for several years based on their dates.
The discovery of these deceptive advertisements was made by John Scott-Railton, a senior researcher at Citizen Lab. While it remains uncertain if the listed websites represent a comprehensive list of the affected entities, the similarities among the ads suggest that they may originate from the same group or individual.
The Cybersecurity and Infrastructure Security Agency (CISA) has acknowledged the compromises and has begun collaborating with the affected entities to offer assistance and support in addressing the situation.
During an investigation of the advertised websites, GreyJournal discovered evidence suggesting that the cybercriminals were involved in click-fraud schemes aimed at generating illicit profits. These individuals utilized open-source tools to create deceptive popups that validated human visitors, while surreptitiously generating revenue in the background. Although one website displayed purported victim profiles, the advertised hacking services were likely fraudulent.
Representatives from the town of Johns Creek in Georgia, the University of Washington, and Community Colleges of Spokane confirmed that the issue was related to a content management system (CMS) called Kentico CMS. However, other victims, such as the California Department of Fish and Wildlife and the University of Buckingham, encountered similar techniques without explicitly mentioning Kentico.
It is important to note that the affected websites were not necessarily breached, but rather exploited due to vulnerabilities in online forms or CMS software, which allowed the cybercriminals to upload the PDFs. Prompt action was taken to resolve these vulnerabilities, and the malicious documents have been successfully removed.
While the overall impact of this spam campaign is expected to be minimal, the incident highlights concerns regarding the ability to upload content to .gov websites, not only for the affected sites but for the entire U.S. government. Previous instances, such as Iranian hackers attempting to manipulate vote counts on a U.S. city's website, as well as concerns about election-related websites being compromised, emphasize the critical need to secure government websites against hacking attempts.