June 5, 2023

An extensive spam campaign has targeted the official websites of several state, county, and municipal governments in the United States, as well as federal agencies and many colleges with hacking service ads.

The scammers posted PDF adverts promising hacking services on websites ending in.gov and.edu domains. California, North Carolina, New Hampshire, Ohio, Washington, and Wyoming federal websites are among those affected, as are specific county and municipal websites. UC Berkeley, Stanford, Yale, and the University of Washington were also targeted.

Other victims include the Spanish Red Cross, defense contractor Rockwell Collins, and an Irish tourism firm, in addition to government and educational sites. The PDFs featured links to websites that provided services such as hacking Instagram, Facebook, and Snapchat accounts, gaming cheats, and making phony followers.

These adverts were found by John Scott-Railton, a senior researcher at Citizen Lab, who highlighted concerns about potential security flaws. While the submitted PDFs only refer to scam services at the moment, Scott-Railton warned that additional dangerous information might have been published, possibly inflicting serious harm.

While the exact nature of the breaches is unknown, some victims had misconfigured forms that allowed PDF submissions, while others have eliminated unwanted PDFs and improved security.

The sources for this piece include an article in TechCrunch.