It may be easier than one thinks to register a dot-gov domain, according to KrebsOnSecurity. People have tended to regard urls with the top-level domain dot gov as generally reliable, but this may need to change.

KrebsOnSecurity says it “received an email from a researcher who said he got a .gov domain simply by filling out and emailing an online form, grabbing some letterhead off the homepage of a small U.S. town that only has a ‘.us’ domain name, and impersonating the town’s mayor in the application.” The US General Services Administration (GSA) is responsible for managing dot gov top-level domain registration, and the experimenter received the domain he asked for. The researcher chose Exeter, Rhode Island, for the “thought experiment,” and it appears that the US General Services Administration (GSA) did not contact the town to verify that the request came from them until some days after KrebsOnSecurity informed the GSA that they may have a problem.

We are accustomed to seeing government offices and agencies impersonated with a plausible name that comes with a dot-com top-level domain. A famous one about a decade ago was whitehouse dot com, which led to an adult site, and not to the President of the United States, whose domain of course is whitehouse dot gov. The giveaway in that case was the dot com top-level domain. But the experiment KrebsOnSecurity reports suggests that it may be disturbingly easy to spoof a dot gov domain: it appears that, at the time of the posting, houston.gov, losangeles.gov, newyorkcity.gov, and philadelphia.gov were all available.

Both GSA and the Cybersecurity and Infrastructure Security Agency (CISA) are investigating, and looking into ways of tightening domain registration. We urge everyone not to attempt this kind of experiment on their own, since it amounts to wire fraud, but the incident should open our eyes to fresh possibilities of social engineering. As fraudsters advance in cunning and ingenuity, new-school security awareness training becomes even more important to arm your employees with the healthy skepticism every organization needs to stay safe.

KrebsOnSecurity has the story: https://krebsonsecurity.com/2019/11/its-way-too-easy-to-get-a-gov-domain-name/