The person reportedly used a fake Google Voice number and fake Gmail address in their application, which the government approved.
- Someone was able to get their own .gov website by pretending to be a small-town mayor and filling out an online form, according to a new report from cybersecurity watchdog Brian Krebs.
- The person reportedly used a fake Google Voice number and fake Gmail address in their application, which the government approved.
- From there, the person was also able to use the .gov domain to access Facebook's law enforcement subpoena system.
- The US General Services Administration, which authorizes .gov domains, says it's investigating the incident.
- Visit Business Insider's homepage for more stories.
Getting a website with a .gov domain can be as easy as telling the government you're a small-town mayor and filling out an online form.
According to a new report from cybersecurity watchdog Brian Krebs, someone was able to get a .gov domain by impersonating a small-town mayor using information he found online. The person used a fake Google Voice number and fake Gmail address, both of which reportedly cleared the government's authorization process.
"I assumed there would be at least ID verification. The deepest research I needed to do was Yellow Pages records," the unnamed source told Krebs.
A spokesperson for the US General Services Administration, which is in charge of issuing .gov domains, said in a statement to Business Insider that it was investigating the issue and couldn't comment on open investigations.
In a separate statement to Business Insider, the Cybersecurity and Infrastructure Security Agency said protecting the integrity of the .gov domain from fraudsters is "critical" to national security. CISA is housed under the Department of Homeland Security, and a CISA spokesperson said that the agency has asked to take over control of authorizing .gov domains from the GSA.
"The .gov top-level domain (TLD) is critical infrastructure for thousands of federal, state and local government organizations across the country," the CISA spokesperson said. "Its use by these institutions should instill trust. In order to increase the security of all US-based government organizations, CISA is seeking the authority to manage the .gov TLD and assume governance from the General Services Administration."
Once the person obtained a fraudulent .gov domain, they were also able to access Facebook's law enforcement subpoena system, which allows government agencies to request personal information on Facebook users, screenshots obtained by Krebs show. A Facebook spokesperson told Business Insider that there are several other steps in the subpoena process that Facebook takes to verify requests, including reaching out to the government agency in question.