Skip to content
  • by
  • News
  • 3 min read

Thousands of US Government and Educational Websites Hijacked for Scam Promotions

New research has revealed that thousands of websites belonging to US government agencies, universities, and professional organizations have been hijacked over the past five years. These websites are being used to promote scam offers and fraudulent activities, with many of the scams targeting children by tricking them into downloading apps, malware, or revealing personal information in exchange for non-existent rewards related to popular games like Fortnite and Roblox.

Security researcher, Zach Edwards, has been tracking these website hijackings and scams for over three years. He discovered that the activity is connected to the activities of affiliate users of an advertising company. This US-registered company acts as a service that sends web traffic to online advertisers, allowing individuals to sign up and use its systems. However, Edwards daily uncovers compromised websites with .gov, .org, and .edu domains.

The attackers exploit vulnerabilities or weaknesses in the targeted website's backend or content management system. They upload malicious PDF files called “poison PDFs” that are designed to show up in search engines and promote fake offers such as free Fortnite skins, generators for in-game currency, or cheap streams of popular films. When users click the links in these PDFs, they are directed through multiple websites that ultimately lead them to scam landing pages.

These landing pages are often highly targeted towards children. They ask users to provide personal information, download apps, or sign up for other services in order to unlock the promised rewards. However, the rewards never materialize, and those behind the scams profit from the actions taken by the victims.

The scams are all traced back to the advertising firm CPABuild and its network members. All compromised websites with uploaded PDFs are connected to command-and-control servers owned by CPABuild. The company describes itself as a “content-locking network” and operates on a cost per action (CPA) basis, where its users, known as affiliates, try to get people to complete various offers.

The scams have caught the attention of the New York State Department of Financial Services, as well as the US Cybersecurity Infrastructure Agency (CISA), which have taken steps to remove the fraudulent PDFs from affected websites.

CPABuild, however, has not provided any response to inquiries about these activities. The company claims to have fraud checks in place and prohibits its users from engaging in fraudulent activities. However, the research conducted by Zach Edwards shows that these measures have been ineffective in preventing its users from participating in widespread fraud.

The extent of these website compromises and the public nature of the scams make them a cause of concern. Further actions need to be taken to protect internet users, especially children, from falling victim to these fraudulent schemes.