When visiting a government website, it’s natural to relax and assume the site is secure and you’re safe. However, it turns out anyone can register a .Gov domain name with a little bit of forgery and fraud.
As KrebsOnSecurity reports, back in November, a researcher not associated with the US government managed to register a .Gov domain for a small US town. All it took was a fake Google Voice number, Gmail address, and a copy of the letterhead the town used in order to impersonate its mayor. An authorization form was downloaded, filled out, and sent via mail or fax to DotGov. In return, account creation links were issued.
By going through that process, the researcher committed wire fraud, but the point being the .Gov domain was authorized. No manual checks were carried out beforehand, for example, calling the mayor to verify the request would have instantly flagged the application as fraudulent. However, from today, such domain registrations got a little bit more secure.
An update posted on the DotGov website on March 5 states, “Effective on March 10, 2020, the DotGov Program will begin requiring notarized signatures on all authorization letters when submitting a request for a new .gov domain. This is a necessary security enhancement to prevent mail and wire fraud through signature forgery in obtaining a .gov domain. This step will help maintain the integrity of .gov and ensure that .gov domains continue to be issued only to official U.S. government organizations.”
A notary is a public official who is tasked with verifying the identity of everyone else signing the documents and acts as a witness. An official stamp or seal is also required to be affixed to the document by the notary.
Although this extra requirement does make it a bit harder to register a .Gov name if you aren’t officially entitled to, as Krebs points out, there’s still no manually checks happening. A determined individual could fake the notarization and there are online (cybercrime) services more than willing to help paying customers do so.