The U.S. Government Issued a .Gov Domain Name to a Fraudster Pretending to Be a Mayor

Apparently, it is easy for anyone to obtain a .gov domain name. All you have to do is simply fill an online form and boom you get your own .Gov domain name. According to a report from krebsonsecurity.com, a cybersecurity watchdog site run by Brian Krebs, it turned out the U.S. government currently does not have effective ways to verify and validate the identity of anyone requesting a .gov domain registration.

The .Gov domain name is a sponsored top-level domain (sTLD) restricted to government organizations use only. The 3-letter .gov TLD is derived from the word government, indicating its restricted use by government entities. The .gov domain is administered by the General Services Administration (GSA), an independent agency of the United States federal government.

As Brian Krebs revealed, an unnamed researcher impersonated a small-town mayor by using a fake Google Voice number and fake Gmail address, and easily registered a .gov domain name, which is exclusively meant for government website. Earlier this month, KrebsOnSecurity said received an email from a researcher who said he got a .gov domain simply by filling out and emailing an online form, grabbing some letterhead off the homepage of a small U.S. town that only has a “.us” domain name, and impersonating the mayor of town of Exeter, Rhode Island in the application.

“I had to [fill out] ‘an official authorization form,’ which basically just lists your admin, tech guy, and billing guy,” the unnamed researcher said in an email received by KrebsOnSecurity. “Also, it needs to be printed on ‘official letterhead,’ which of course can be easily forged just by Googling a document from said municipality. Then you either mail or fax it in. After that, they send account creation links to all the contacts.”

What’s so alarming about this incident is that, having a .gov domain comes with authority that is not available to regular TLD extensions like .com domain. Using .gov domain gives government agencies permission to request, for example, Facebook users’ personal data. In addition, Krebs also noted that a state-sponsored actor operating outside the United States could register a .gov domain to launch a malicious website, emails or fake news social media which could pose a serious national security risk.

Kerbs said what the unnamed source did was unlawful. The source acknowledged what he did was unlawful. “I never said it was legal, just that it was easy,” the source said. “I assumed there would be at least ID verification. The deepest research I needed to do was Yellow Pages records,” Kerbs wrote.

Krebs later reached out to the county government in the town of Exeter, Rhode Island asked if the U.S. General Services Administration (GSA) had made any attempts to validate the request for a .gov site. After four days, GSA responded back to Krebs confirming the incident was indeed true.

“A person who called back from the town clerk’s office but who asked not to be named said someone from the GSA did phone the mayor’s office on Nov. 24 — which was four days after I reached out to the federal agency about the domain in question and approximately 10 days after the GSA had already granted the phony request,” Krebs explained.

“The agency doesn’t comment on open investigations,” a GSA spokesperson told Krebs in a separate email. “GSA is working with the appropriate authorities and has already implemented additional fraud prevention controls,” Krebs added, citing the email from the agency wrote. GSA did not elaborate on what those additional controls might be.

The incident is definitely a wake up call for the U.S. Government. Krebs said he finally received a substantive response from the Cybersecurity and Infrastructure Security Agency (CISA), a division of the U.S. Department of Homeland Security which is leading efforts to protect the federal .gov domain of civilian government networks [NB: The head of CISA, Christopher C. Krebs, is of no relation to this author]. CISA told Krebs it is now putting a proper measure in place to take control over the issuance of all .gov domains.

“The .gov top-level domain (TLD) is critical infrastructure for thousands of federal, state and local government organizations across the country,” reads a statement CISA sent to KrebsOnSecurity. “Its use by these institutions should instill trust. In order to increase the security of all US-based government organizations, CISA is seeking the authority to manage the .gov TLD and assume governance from the General Services Administration,” Krebs wrote, citing CISA.