Doctor Web: gosuslugi.ru portal has been compromised and may begin to infect visitors or steal information

On the state services portal of the Russian Federation (gosuslugi.ru), Doctor Web, specialists discovered a potentially malicious code introduced by unknowns. Due to the lack of reaction from the administration of the gosuslugi.ru site , we are forced to resort to public information about the threat.

The date of commencement of compromise, as well as past activity on this vector of attack, cannot be established at the moment. The malicious code causes the browser of any visitor to the site to unnoticeably contact one of the at least 15 domain addresses registered to an unknown individual. In response, these domains can receive any independent document, starting with a fake credit card data entry form and ending with iterating over a set of vulnerabilities in order to gain access to the site visitor’s computer.

In the process of dynamically generating the site page to which the user is accessing, the <iframe> container is added to the site code, allowing you to download or request any third-party data from the user's browser. Currently, experts have found at least 15 domains, including: m3oxem1nip48.ru, m81jmqmn.ru and other addresses of intentionally uninformative names. For at least 5 of them, the address range belongs to companies registered in the Netherlands. Over the past day, requests to these domains either do not end in success, as the security certificate of most of these sites is expired or does not contain malicious code, but nothing prevents domain owners from renewing certificates at any time and placing malicious code on these domains.

At the moment, the site gosuslugi.ru is still compromised, the information has been transferred to the technical support of the site, but confirmation of the adoption of necessary measures to prevent incidents in the future and an investigation in the past has not been received. Doctor Web recommends caution when using the public services portal of the Russian Federation until the situation is resolved. Doctor Web, LLC recommends the administration of the gosuslugi.ru site and the competent authorities to carry out a site security check.

Any user can check the availability of the code on his own by using a search service and specifying a search query for the following wording:

site:gosuslugi.ru "A1996667054"