Scammers have carried out a large-scale spam campaign targeting official websites of various U.S. state, county, and local governments, federal agencies, and universities. The campaign involved the uploading of PDF files containing advertisements promoting hacking services and fraudulent activities. Some of the affected websites include those belonging to state governments (California, North Carolina, New Hampshire, Ohio, Washington, and Wyoming), county governments (St. Louis County in Minnesota, Franklin County in Ohio, Sussex County in Delaware), local municipalities (Johns Creek in Georgia), and universities (UC Berkeley, Stanford, Yale, and more).
Scammers post illegal services ads on the websites
The scammers advertisements within the PDF files led to websites offering services for hacking Instagram, Facebook, and Snapchat accounts, cheating in video games, and generating fake followers. Although the campaign primarily aimed to promote scam services, the presence of security vulnerabilities raises concerns about potential malicious activities. The PDFs, found by a senior researcher at Citizen Lab, indicate a larger spam campaign that might be orchestrated by the same group or individual.
Experts have highlighted that the scammers PDF uploads took advantage of misconfigured services, unpatched content management system (CMS) bugs, and other security weaknesses. While investigating the advertised websites, it was discovered that they were part of a scheme to generate revenue through click fraud. The cybercriminals behind the campaign appeared to be utilizing open-source tools to create pop-ups that verify human visitors while generating money in the background. Reviewing the source code revealed that the advertised hacking services were likely fake, despite displaying alleged victims’ profile pictures and names.
Concerns arise over the security of the websites
Representatives from affected entities, such as the town of Johns Creek in Georgia and the University of Washington, mentioned that the issue stemmed from flaws in a content management system called Kentico CMS. However, it is not clear how all the sites were compromised. In some cases, scammers exploited flaws in online forms or CMS software, allowing them to upload PDFs. Affected organizations, including the California Department of Fish and Wildlife and the University of Buckingham in the U.K., acknowledged that their sites were not breached but rather had misconfigured or vulnerable components that facilitated the unauthorized PDF uploads.
While the overall impact of this spam campaign is expected to be minimal, the ability to upload content to .gov websites raises concerns about potential vulnerabilities within the entire U.S. government’s digital infrastructure. Previous incidents, such as Iranian hackers attempting to alter vote counts on a U.S. city’s website, have underscored the importance of securing government and election-related websites against cyber threats.
Efforts are underway to address the issue, with the US cybersecurity agency, CISA, coordinating with affected entities and providing assistance as needed. Affected organizations have taken steps to remove malicious PDFs, fix vulnerabilities, and enhance security measures to prevent similar incidents in the future. However, this incident serves as a reminder of the constant vigilance required to safeguard online platforms against evolving threats.