Malware, Fraud & Co.: Risky Domain Chaos of the Federal Government Revealed

When citizens search for information from government agencies in the digital space, reliability is the most important currency. An official website must not only be trustworthy but also unmistakably recognizable as such. However, in Germany, those seeking state expertise often embark on a digital scavenger hunt. Instead of clear labeling, there has been a lack of transparency for years, criticizes IT security researcher Tim Philipp Schäfers. This is not only confusing but also harbors tangible security risks such as the distribution of malware.

To counteract this situation and increase pressure on those responsible, Schäfers published a list of over 2000 federal domains on the portal FragDenStaat on Monday. The expert painstakingly compiled this data through scraping methods and search engine analysis. The overview now provides a comprehensive insight into the federal government's digital footprint for the first time.

This openness is a necessary step for greater digital sovereignty, Schäfers explains the publication. It enables the public and other government agencies to reliably check the authenticity of websites. At the same time, it forces authorities to raise their security measures to a contemporary level. Only when it is clearly documented which domains are official can fake offers be effectively exposed.

"Domain Chaos"

The management of federal domains currently resembles a wild growth. While nations like the USA with .gov or Great Britain with gov.uk rely on a uniform and unmistakable suffix, Germany remains in a decentralized patchwork.

According to Schäfers, this "domain chaos" is evident in a confusing mix of classic .de addresses, rarely used .bund.de structures, and a variety of special domains for short-term projects or initiatives. It is often difficult for outsiders to discern whether a site is actually operated by an authority or a ministry, or whether it is a well-made copy. Scammers have already exploited this ambiguity in the past. For example, state websites were specifically imitated during the Corona pandemic to claim subsidies. Another problem is expired federal domains that fell into the hands of unauthorized third parties because the management of the addresses failed. If such addresses are not renewed in time or are forgotten after a restructuring, they can become a trap for users who continue to expect official content there.

The absurdity becomes particularly clear when looking at the name changes of ministries after new governments are formed, Schäfers explains. As an example, he cites the current Federal Ministry for Digital and Transport, which has had five different names since the late 1990s. Each of these name changes has left a trail of domains – from bmvbs.de to bmvi.de and countless variations with suffixes like .net, .org, or .info. Even "minister domains" like verkehrsminister.de were registered. This flood of addresses makes it practically impossible for citizens to assess the authenticity of a URL.

The actually planned "digital umbrella brand" with the suffix gov.de, which the IT Planning Council already decided on in March 2024, is still waiting for its full implementation years later. So far, only a vanishingly small number of these unique domains are actually in use.

Problems with bund.ee

Amidst this lack of clarity, the federal government is pursuing a strategy that Schäfers strongly disapproves of: Security by Obscurity. Authorities classify lists of their operated domains as classified information in the hope that unknown systems will be attacked less frequently. However, this principle is considered outdated in the modern IT landscape. Secrecy offers no protection against targeted attacks, as automated DNS scans, search engines, and transparency logs for certificates will discover such addresses sooner or later anyway. An attacker does not need an official list to systematically scan an authority's address space, Schäfers points out. Rather, secrecy also lulls operators into a false sense of security.

The risks of this lack of transparency were recently underscored by incidents surrounding the suffix "bund.ee," as Schäfers reported on Sunday at the 39th Chaos Communication Congress (39C3) in Hamburg. A simple typo or a wrongly associated suffix, as with this domain he secured experimentally, could lead users to land on private or even malicious sites that appeared official. If the state fails to clearly define and communicate its digital identity, it leaves the space open to disinformation campaigns and fraud attempts. Real security arises from robust technical protective measures such as strong authentication and continuous inventory control.

The introduction of the gov.de domain for all federal authorities must no longer be postponed, the researcher demands. A public directory of all official domains is needed so that the digital identity of the state is no longer a guessing game.

(jpw)