Cybercriminals have recently targeted various official websites of U.S. state, county, and local governments, as well as federal agencies and universities, by publishing deceptive advertisements promoting hacking services. The hackers uploaded PDF files containing these ads to official .gov websites, including those belonging to the state governments of California, North Carolina, New Hampshire, Ohio, Washington, and Wyoming. Additionally, the scam ads were found on websites of St. Louis County in Minnesota, Franklin County in Ohio, Sussex County in Delaware, the town of Johns Creek in Georgia, and the federal Administration for Community Living.

The targeted universities included UC Berkeley, Stanford, Yale, UC San Diego, University of Virginia, UC San Francisco, University of Colorado Denver, Metropolitan Community College, University of Washington, University of Pennsylvania, University of Texas Southwestern, Jackson State University, Hillsdale College, United Nations University, Lehigh University, Community Colleges of Spokane, Empire State University, Smithsonian Institution, Oregon State University, University of Buckingham in the U.K., and Universidad Del Norte in Colombia.

Besides government and educational websites, other victims of this campaign included Spain’s Red Cross, defense contractor Rockwell Collins (a subsidiary of Raytheon), and an Ireland-based tourism company.

The PDFs contained links to various websites advertising hacking services, such as hacking Instagram, Facebook, and Snapchat accounts, cheating in video games, and creating fake followers. Some of the PDFs appeared to have been online for years based on their dates.

John Scott-Railton, a senior researcher at Citizen Lab, discovered these advertisements. While it is unclear if the listed sites represent a complete list of the affected websites, the similarity of the ads suggests that they may be the work of the same group or individual.

The cybersecurity agency CISA (Cybersecurity and Infrastructure Security Agency) acknowledged the compromises and stated that it was collaborating with the impacted entities to provide assistance.

Upon inspection of the advertised websites, GreyJournal found indications that the cybercriminals were engaging in click-fraud schemes to generate revenue. They used open-source tools to create popups that verified human visitors but covertly generated money in the background. Despite one site displaying alleged victim profiles, the hacking services advertised were likely fake.

Representatives from the town of Johns Creek in Georgia, the University of Washington, and Community Colleges of Spokane confirmed that the issue was related to a content management system (CMS) called Kentico CMS. Other victims, such as the California Department of Fish and Wildlife and the University of Buckingham, experienced similar techniques without explicitly mentioning Kentico.

The affected websites were not necessarily breached but were exploited due to flaws in online forms or CMS software, allowing the cybercriminals to upload the PDFs. The vulnerabilities were resolved, and the malicious documents were removed.

The spam campaign’s overall impact is expected to be minimal, but the ability to upload content to .gov websites raises concerns not only for the affected sites but also for the entire U.S. government. Previous incidents involving Iranian hackers attempting to manipulate vote counts on a U.S. city’s website and concerns regarding election-related websites being compromised have highlighted the importance of securing government websites against hacking attempts.