Brian Krebs, a noted journalist and cybersecurity researcher, reported in his blog that it is straightforward for anyone to obtain a .gov domain name that is normally reserved for US government agencies. Krebs heard about this from a researcher who asked to remain anonymous and who was easily able to register the domain name exeter.ri.gov by presenting himself as the mayor of the town of Exeter, Rhode Island. The .gov domain is managed by the US General Services Administration (GSA). The researcher filled out an online application on its website. He had to submit names and contacts of officials in the government organization or agency that applied for the domain name registration.
“I used a fake Google Voice number and fake Gmail address,” the researcher said. The only thing that was real was the mayor’s name he found on the internet. The GSA also requires that the domain name application be printed on an official letterhead, but it was easy to get the city’s scanned documents just by Googling a document from the municipality in question. “I assumed there would be at least ID verification,” the researcher continued, but instead he got a message from the GSA with a link for creating an account and registering the domain name.
The exeterri.gov domain was registered on November 14. The researcher seeks to maintain his anonymity because his actions unequivocally qualify as wire fraud.
“I never said it was legal, just that it was easy,” the source admits. While investigating the situation, Brian Krebs contacted officials in Exeter, RI, to find out if anyone from the US General Services Administration had tried to validate the request. A staff member in the city clerk’s office confirmed that someone from the GSA did phone the mayor’s office on Nov. 24 — which was approximately 10 days after the GSA had already registered the domain. The GSA refused to answer Krebs’s questions saying the agency does not comment on open investigations.
Meanwhile, Krebs’s investigation was given maximum attention by the US Department of Homeland Security. DHS representatives said it was critical to maintain the security and integrity of the .gov space adding that the agency is now seeking to transfer control of the issuance of all .gov domains to the Cybersecurity and Infrastructure Security Agency (CISA), a division of the US Department of Homeland Security.
These concerns are easy to understand. The .gov domain enjoys trust among Americans, since information from its resources and emails are perceived as official by definition. It is not hard to imagine cyber criminals using .gov names to their fraudulent ends. Even more dangerous scenarios are possible. Brian Krebs points out that many cities in the US still do not have .gov names and use .us domain names instead, like Exeter, RI. For example, names like houston.gov, losangeles.gov, newyorkcity.gov and philadelphia.gov remain unregistered. Foreign special services could register them and use them to interfere in US elections, for example. Residents could be emailed from these addresses on election day with warnings of bomb threats at polling stations. This could actually abort the election, for example, in constituencies where scammers view the frontrunner as an undesirable candidate.
