Tax season is here—and it’s not just busy for taxpayers. Cybercriminals are equally active, looking for any vulnerabilities they can exploit. Recently, our team at ThreatSTOP discovered a hotlinking misconfiguration on IRS.gov, which could be leveraged by malicious actors to lend an air of legitimacy to scam or phishing websites. This blog post examines the nature of hotlinking, why it poses a threat (especially on a high-profile site like IRS.gov), and how you can protect your own website.
In the grand scheme of web security, hotlinking is often classified more as a misconfiguration than a full-blown vulnerability, since it doesn’t typically grant direct access to a site’s systems. However, in this case, even a small misconfiguration can lend outsized credibility to malicious websites. When legitimate logos and imagery from IRS.gov appear on a fraudulent page, it instantly looks more official, making it much easier for attackers to trick users into sharing sensitive information or falling victim to phishing scams.
During our routine threat research, the ThreatSTOP Security, Intelligence, and Research team noticed that IRS.gov allows external websites to hotlink images—most notably the IRS logo—directly from their servers. This means anyone can embed official IRS imagery simply by referencing the content on IRS.gov, potentially misleading users into thinking a malicious site is sanctioned by or affiliated with the IRS.
As a result, a long list of phishing and impersonation pages were found to look more credible, especially during tax season when people are more likely to interact with official-looking notices or forms. We’ve already seen malicious websites attempt to exploit this hotlinking misconfiguration, which is why we immediately notified the IRS to help protect their resources and users. Throughout the blog post, I've placed some screenshots of malicious sites we've found using this misconfiguration.
(Fake as a tax refund from a Nigerian prince)
(Not fooling anyone)
Hotlinking (also called inline linking) occurs when a website displays an image (or other media) hosted on another site’s server. Instead of saving the image locally and serving it themselves, the site “borrows” the file by linking to the original URL.
1. Bandwidth Theft: Every time the hotlinked image loads, it uses resources from the original host, in this case, IRS.gov. Possibly the least of the problems.
2. Security Risks: Hotlinking can be manipulated in this case to serve misleading content, we found examples of impersonation of id.me and irs.gov login pages.
3. Brand Misuse: Displaying the official IRS logo or other assets can make fraudulent sites appear legitimate—leading to phishing and identity theft risks.
(Fake as a three-dollar bill)
Because tax season is a peak time for fraud, an official-looking site can easily fool individuals into sharing sensitive data. The presence of the genuine IRS logo or graphics (hotlinked from IRS.gov) can significantly lower a target’s guard, making it more likely they’ll provide personal or financial details.
Whether you’re a large organization or a smaller enterprise, understanding how to prevent hotlinking is crucial:
1. Referrer Checking / Blocking
Configure your web server (e.g., Apache, Nginx) to check the HTTP referrer header. If a request for an image comes from an external site, the server can block it or redirect to a placeholder image.
2. Rewrite Rules
Use .htaccess (Apache) or equivalent server configuration to rewrite or deny requests for media files from external referrers. This effectively stops unauthorized hotlinking or replaces the image with a warning or alternate graphic.
3. CORS Headers
Properly set up Cross-Origin Resource Sharing (CORS) headers to control whether and how other sites can embed your images, fonts, or scripts.
4. CDN and Watermarking
If you rely on a Content Delivery Network, you might watermark your images. This doesn’t block hotlinking outright, but it ensures your brand or domain is visible if the asset is displayed elsewhere.
Our Security, Intelligence, and Research team continuously updates and refines these protections to block command and control, invalid traffic, peer-to-peer communication, data exfiltration, phishing, spam, Distributed Denial of Service (DDoS) activity, and more.
(Not even close to legit)
We'd like to thank the prompt response of the good folks at SynAck who handle IRS's bug bounty program. We understand why they didn't want to fix it, but be vigilant!
|
Date |
Action |
|---|---|
|
2025-01-23 |
Identified malicious websites leveraging the hotlinking misconfiguration on IRS.gov. |
|
2025-01-24 |
Notified the IRS about our discovery, helping them safeguard their resources and users. |
|
2025-01-27 |
IRS Bug Bounty Handlers responded to ThreatSTOP |
|
2025-01-28 |
IRS Declines to fix issue |
MITRE ATT&CK Chart
|
MITRE ATT&CK Technique |
Technique ID |
Explanation |
|---|---|---|
|
Initial Access: Spearphishing Attachment |
T1566.001 |
Phishing campaigns using official IRS logos hotlinked from IRS.gov can make emails or fraudulent pages more convincing, leading to initial access. |
|
Initial Access: Spearphishing Link |
T1566.002 |
Fraudulent websites hotlinking official IRS imagery can appear legitimate, enticing users to click links that lead to phishing or malware pages. |
|
Resource Development: Compromise Infrastructure |
T1584 |
Threat actors may use compromised infrastructure to host phishing sites that hotlink images from IRS.gov to appear authentic. |
|
Impact: Defacement |
T1491 |
Hotlinking IRS imagery could allow attackers to manipulate legitimate branding in malicious ways, damaging the reputation of IRS.gov. |
|
Defense Evasion: Masquerading |
T1036 |
By hotlinking IRS assets, attackers can make fraudulent websites appear as legitimate IRS-affiliated pages, evading user suspicion. |
|
Credential Access: Input Capture |
T1056 |
Fraudulent pages that mimic IRS.gov login portals can trick users into entering credentials, which attackers can then capture and misuse. |
|
Collection: Input Capture |
T1056.001 |
Fake login portals using hotlinked IRS logos may collect sensitive user inputs like usernames, passwords, or Social Security Numbers (SSNs). |
|
Collection: Data from Information Repositories |
T1213 |
Impersonation sites leveraging hotlinked assets may target users’ tax data stored in online repositories or forms, such as id.me credentials. |
|
Exfiltration: Exfiltration Over Web Service |
T1567.002 |
Phishing sites using hotlinked IRS branding may exfiltrate collected user data (e.g., financial details) via HTTP/HTTPS to attacker-controlled servers. |
|
Reconnaissance: Search Open Websites/Domains |
T1596 |
Threat actors may scan public assets like IRS.gov to identify misconfigurations, such as open hotlinking, for use in phishing campaigns. |
|
Reconnaissance: Gather Victim Identity Information |
T1589.002 |
Attackers use IRS branding and phishing pages to collect personal information such as Social Security Numbers, names, and addresses from victims. |