Home » General Security » IRS & Equifax: A match made in heaven.

IRS & Equifax: A match made in heaven.

Original post date: Oct. 3, 2017

Updates: Oct. 4, 2017

Today like many others I was in complete shock to learn that the IRS had awarded a contract to Equifax, to

 establish an order for third party data services from Equifax to verify taxpayer identity and to assist in ongoing identity verification and validations needs of the Service.”

– Wait…whaaaaat? The company that just had over 143 million taxpayers information stolen? They are getting rewarded with a government contract? So of course, me being me – I started digging.  Sure enough I managed to find some juicy info that indicated that the IRS idverify site has it’s own issues.

My initial search was from filtering down on subdomains that ended up showing me three links in Google that were not right. These are what we call SEO spam injections. As I navigated through the google results, that’s all I initially saw – until I upped my Google-fu game.

 

By changing my search criteria to include:

site:irs.gov inurl:idverify videos

I got a much bigger view – over 4000 pages indexed by Google. Seems to be everything from Racing, to Music videos to XXX porn. When I started looking at the URL’s indexed by Google, I realized it was just a typical SEO spam injection. If we look at the url’s that are indexed, they all start with “idverify.irs.gov/exit.htm” followed by the redirect to the video serving site: “?http://spamsite[.].com/CFQ2GyiGpWY/download/new-video-intro.html” which is what you get redirected to when you view the Google cached copy of the search result that was indexed between July and September, 2017.

This could have been any number of issues –  but it appears after further research (10/4/2017) that the exit.htm file was  a legitimate file that was meant to redirect users to external resources and it was being abused for SEO ranking purposes. I even managed to find a link to a document that told readers they could use several .gov links because they didn’t have the magical ingredient to keep them from getting indexed: “no follow”.  A link to that document is here. This lead me to investigate more which is below.

I can say that the exit.htm file has a 301 redirect to another IRS url now:

Some examples of what google still has in their cache for the redirecting links:

 

I did dig a little deeper on several of these pages and didn’t come across any malware (to my disappointment!).  However I will say that this may be even bigger than I initially thought. While viewing the source code on one of the cached pages, there were additional links at the bottom that also indicated that noaa.gov sites had been compromised and serving SEO Spam pages as well that I needed to research further:

By the time I stumbled on this, it was already 11:00pm on October 3rd, so when I got up the next morning I went straight for it and found several other fascinating issues on multiple .gov domains including the faa, sba, nasa, noaa and many other government sites.

My initial search for the crh.noaa.gov didn’t turn up much last night, but I had more luck this morning. I changed my search criteria to be “intext:”noaa.gov/nwsexit.php?url=”” which gave me roughly 3500 hits for sites that actually included those links in their pages! This also pointed me to additional gov sites that had the same or similar issue with the backlinks in their exit pages that were being indexed. Almost 100….

The one thing they all have in common? A simple exit page to warn users they are leaving their site, with a link to the page – and no “nofollow” assigned to them. A spammers dream. Here’s an example of one of the exit pages on the FAA website that is still up and working:

And upon viewing the source of the page, we can see that they haven’t told search engines to NOT index this:

So I’ve included a list of the sites that I initially found this issue on, of course I removed the spammy site link and I’m not linking to any of these – it’s just for reference. I’m sure there are more, but this is all I had time to compile:

www.weather.gov/cgi-bin/nwsexit.pl?url=http://somespamsite[.].com
imagine.gsfc.nasa.gov/cgi-bin/leaving.pl?http://somespamsite[.].com
www.senate.gov/cgi-bin/exitmsg?url=http://somespamsite[.].com
www.nws.noaa.gov/cgi-bin/nwsexit.pl?url=http://somespamsite[.].com
www.nhlbi.nih.gov/redir/disclaimer.htm?http://somespamsite[.].com
www.fws.gov/pacific/script/exit.cfm?link=http://somespamsite[.].com
www.fws.gov/pacific/script/exit.cfm?link=http://somespamsite[.].com
www.weather.gov/cgi-bin/nwsexit.pl?url=http://somespamsite[.].com
hwww.crh.noaa.gov/nwsexit.php?url=http://somespamsite[.].com
www.nws.noaa.gov/cgi-bin/nwsexit.pl?url=http://somespamsite[.].com
wwwcf.fhwa.dot.gov/exit.cfm?link=http://somespamsite[.].com
www.prh.noaa.gov/cphc/jump.php?site=http://somespamsite[.].com
www.doleta.gov/regions/reg05/Pages/exit.cfm?vexit=http://somespamsite[.].com
www.polytrauma.va.gov/disclaimer.asp?url=http://somespamsite[.].com
spaceflight1.nasa.gov/cgi-bin/leaving.cgi?newsite=http://somespamsite[.].com
www.planning.dot.gov/PageRedirect.asp?RedirectedURL=http://somespamsite[.].com
www.transtats.bts.gov/exit.asp?url=http://somespamsite[.].com
www.newportbeachca.gov/redirect.aspx?url=http://somespamsite[.].com
www.daviscountyutah.gov/offsite_link.cfm?location=http://somespamsite[.].com
spaceflight.nasa.gov/cgi-bin/leaving.cgi?newsite=kitssupplies.com
www.weather.gov/cgi-bin/nwsexit.pl?url=http://somespamsite[.].com
www.trade.gov/build/fragments/fl_tg_outsidelinks/redirect.asp?URL=http://somespamsite[.].com
prc.gov/prc-pages/GoodBye.aspx?url=http://somespamsite[.].com
imagine.gsfc.nasa.gov/cgi-bin/leaving.pl?http://somespamsite[.].com
transition.fcc.gov/fcc-bin/bye?http://somespamsite[.].com
www.doi.gov/cgi-bin/intercept?http://somespamsite[.].com
prc.gov/prc-pages/GoodBye.aspx url=kitssupplies.com
www.crh.noaa.gov/nwsexit.php?url=http://somespamsite[.].com
www.planningportal.gov.uk/PpWeb/jsp/redirect.jsp?url=http://somespamsite[.].com
www.gov.im/tourism/disclaimer.gov?url=http://somespamsite[.].com
www.senate.gov/cgi-bin/exitmsg?url=kitssupplies.com
www.nws.noaa.gov/cgi-bin/nwsexit.pl?url=http://somespamsite[.].com
www.wdtb.noaa.gov/scripts/exit/wdtbexit.pl?url=http://somespamsite[.].com
www.sba.gov/leaving-sba-dot-gov?url=http://somespamsite[.].com
www.elpasotexas.gov/redirect.asp?link=http://somespamsite[.].com
www.nhlbi.nih.gov/redir/disclaimer.htm?http://somespamsite[.].com
wwwcf.fhwa.dot.gov/exit.cfm?link=http://somespamsite[.].com
www.onlinewebcheck.com/check.php?url=http://somespamsite[.].com
www.nixonlibrary.gov/exit.php?link=http://somespamsite[.].com
www.jcprd.com/park_admin/redirect.cfm?link=http://somespamsite[.].com
www.prh.noaa.gov/cphc/jump.php?site=http://somespamsite[.].com
www.doleta.gov/regions/reg05/Pages/exit.cfm?vexit=http://somespamsite[.].com
www.polytrauma.va.gov/disclaimer.asp?url=http://somespamsite[.].com
spaceflight1.nasa.gov/cgi-bin/leaving.cgi?newsite=http://somespamsite[.].com
www.planning.dot.gov/PageRedirect.asp?RedirectedURL=http://somespamsite[.].com
www.transtats.bts.gov/exit.asp?url=http://somespamsite[.].com
www.newportbeachca.gov/redirect.aspx?url=http://somespamsite[.].com
www.daviscountyutah.gov/offsite_link.cfm?location=http://somespamsite[.].com
spaceflight.nasa.gov/cgi-bin/leaving.cgi?newsite=http://somespamsite[.].com
www.weather.gov/cgi-bin/nwsexit.pl?url=http://somespamsite[.].com
www.trade.gov/build/fragments/fl_tg_outsidelinks/redirect.asp?URL=http://somespamsite[.].com
orthoinfo.aaos.org/popOut.cfm?LOC=http://somespamsite[.].com
www.vhfa.org/redirect.php?url=http://somespamsite[.].com
www.olelo.hawaii.edu/redirect.php?url=http://somespamsite[.].com
prc.gov/prc-pages/GoodBye.aspx?url=http://somespamsite[.].com
imagine.gsfc.nasa.gov/cgi-bin/leaving.pl?http://somespamsite[.].com
www.gov.mb.ca/cgi-bin/exit.cgi?http://somespamsite[.].com
transition.fcc.gov/fcc-bin/bye?http://somespamsite[.].com
www.doi.gov/cgi-bin/intercept?http://somespamsite[.].com
prc.gov/prc-pages/GoodBye.aspx url=http://somespamsite[.].com
www.crh.noaa.gov/nwsexit.php?url=http://somespamsite[.].com
www.planningportal.gov.uk/PpWeb/jsp/redirect.jsp?url=http://somespamsite[.].com
www.senate.gov/cgi-bin/exitmsg?url=http://somespamsite[.].com
www.nws.noaa.gov/cgi-bin/nwsexit.pl?url=http://somespamsite[.].com
www.wdtb.noaa.gov/scripts/exit/wdtbexit.pl?url=http://somespamsite[.].com
www.sba.gov/leaving-sba-dot-gov?url=http://somespamsite[.].com
www.elpasotexas.gov/redirect.asp?link=http://somespamsite[.].com
www.nhlbi.nih.gov/redir/disclaimer.htm?http://somespamsite[.].com
www.tc.faa.gov/content/leaving.asp?extlink=http://somespamsite[.].com

I may come back at some point in time and dig into this deeper but for now I think I’ve shed some light on the main issue – nofollow and the governments sites that are serving up SEO spam for some pretty shady sites.