A former ministerial adviser has warned the Government could face attacks from foreign hackers using rogue ‘spoof’ website addresses that look like the real thing – after his former colleagues said it would be too expensive to take the dodgy domains offline.
Leon Emirali, a former aide to Chief Secretary to the Treasury Steve Barclay, purchased some of the most convincing-looking web addresses that, to the untrained eye, could be mistaken for real UK Government websites.
Among the sites he purchased were ‘cabinetoffice.uk’, which is missing the ‘.gov’ used for the real Cabinet Office website cabinetoffice.gov.uk, and ‘No10gov.uk’, which is only one full stop away from the real thing, No10.gov.uk.
Mr Emirali, who now runs a tech consultancy, says the web addresses could be used to commit ‘spear-phishing’ attacks that aim to dupe MPs, Government aides and even ministers into clicking malicious links or handing over sensitive information.
The UK’s National Cyber Security Centre has warned of Russian hacking group Star Blizzard and Iran-backed cyber-attackers carrying out spear-phishing attacks using the imitation tactic, known as ‘domain spoofing’, in recent years.
But when Mr Emirali raised the issue with the Cabinet Office, he was told they wouldn’t tackle the problem because it would cost too much to buy each and every deceptive web address, which are available for about £10 apiece.
The tech expert told MailOnline he was ‘deeply concerned’ the fake web addresses could fall into ‘nefarious hands’ if something wasn’t done – and that even Sir Keir Starmer could potentially be duped into clicking on a malicious link.
‘Leaving these domains on the open market potentially leaves MPs, ministers, civil servants and, even the Prime Minister, exposed to becoming victims of a cyber attack,’ he said.
Tech entrepreneur Leon Emirali says he bought up five web addresses that could pass for real Government domains and offered to hand them over free of charge
He wrote to Chancellor of the Duchy of Lancaster and cybersecurity minister Pat McFadden (pictured) to make him aware of the security threat
He is concerned that foreign hackers from Russia could use the fake domains in an attempt to dupe civil servants or even MPs and ministers with dangerous links
He added that, even if domains like those weren’t seized by foreign hackers, they could be used by scammers to send out waves of phishing emails.
This already happens: criminals try to pose as the HMRC, or the DWP, in order to steal financial details, and for a time imitated the NHS during the pandemic.
But the Cabinet Office, responding to a letter from the former aide, said it would not go down the route of buying up lookalike web addresses because it would be too expensive.
‘CDDO (the government’s Central Digital and Data Office) are well aware of this risk… When looking at options to mitigate this risk, the Government found that the number of ‘lookalike’ domains is simply too large to measure,’ it said.
‘It is currently impossible to survey all of the possible domains, and it would be extremely poor value for taxpayers for the Government to buy all the major combinations, let alone all possible ‘convincing’ domains.’
But Mr Emirali was stunned to find out the Government is doing little to stop these fake web addresses from being snapped up.
‘Phishing attacks can also be devastating on businesses and individuals, and we should all be worried that scammers and criminals could so easily create email addresses that closely resemble official government emails,’ he continued.
‘It is good practice for organisations to buy up domain names that are similar to their official websites and email addresses. I am stunned the government has not taken these steps.’
The ex-adviser began investigating fake web addresses – ‘domains’, as they are formally known – after receiving a number of scam emails that came from addresses closely resembling those from real Government websites.
After buying five of the most deceptive domains at his own expense, he wrote to Pat McFadden, Chancellor of the Duchy of Lancaster and the minister in charge of cyber security, to outline his concerns.
He also offered to transfer the web addresses to the Government free of charge.
In a letter to the Cabinet Office, seen by MailOnline, Mr Emirali wrote: ‘I would urge the UK Government to conduct a full review into other similar domains that are readily available.
‘(The Government should) either purchase these domains to stop them being bought by others, or work with Nominet to block any domain for purchase that could be misassociated with UK Government departments.’
Leon Emirali with former prime minister Theresa May. He says even her successor, Sir Keir Starmer, could be vulnerable to a cyber-attack staged with spoofed web addresses
An example of a fraudulent HMRC email, posing as a tax refund claim form. Hackers who buy up dodgy domains could send emails like this from real-looking email addresses, making them even more convincing
Records show that no10gov.uk, the most convincing of Mr Emirali’s fake domains, has now been permanently blocked off
MailOnline found that some convincing-looking web addresses for the Cabinet Office and the Department for Science, Innovation and Technology can still be snapped up – for just a penny
Nominet is the company responsible for all website domains ending .uk, and has the power to block any addresses suspected of being used in criminal activities.
It effectively acts as an ‘address book’ for .uk websites – and tearing out any entries effectively leaves a scam website without an identifier, cast off and useless.
The government said in its letter to Mr Emirali it could not ‘entirely prevent fraudsters creating and sending phishing emails all the time’, but added: ‘Please rest assured that the Government takes this risk very seriously.
‘It can, and does, take actions against those who create, use and host domains of this nature for malicious purposes.’
It is not against the law, or any rules on domain registration, to register a web address that looks similar to that used by the government – but that can change if it is used in order to, for example, pose as the government or attempt to commit fraud.
MailOnline looked up some of the potential web addresses on offer and found a number of them, which looked extremely similar to real Government URLs, on sale for just £12.99 a year – sometimes with a 99p introductory offer.
Nominet records show that, since Mr Emirali got in touch with the government, four of the domains he purchased have been marked ‘client renew prohibited’ – meaning he cannot renew them after a year, as is standard when buying web addresses.
But the fifth and most convincing address, no10gov.uk, is listed as ‘server renew prohibited’ – meaning Nominet has banned it from ever being purchased again.
Nick Wenban-Smith, general counsel for Nominet, told MailOnline that it had automatically detected the domain and flagged it as potentially being used for fraud.
But the others, which did not mention ‘gov’ in their address, were not caught straight away.
Mr Wenban-Smith said: ‘We take reports like this seriously, as .UK has a strong safety track record, with comparatively low levels of phishing activity observed to global averages.
‘We operate a first come, first served registration policy, and have several checks and safeguards in place that aim to prevent phishing and take swift action against any illegal activity.
‘All new domain registrations are algorithmically checked for potential risks, including phishing, and one of the domains Mr Emirali registered containing ‘gov’ was successfully caught and suspended as part of this process.’
He added: ‘We operate proactive checks of our own and work closely with law enforcement bodies. Any misuse of .UK domains reported to Nominet is reviewed quickly and suspended if appropriate.’
It’s of small comfort to Mr Emirali, who says there are still huge numbers of convincing looking URLs out there for criminals and hackers to buy.
He added: ‘The government must take urgent and immediate action to identify any other readily available domain names that are similar to those used by the government and could be utilised by cyber attackers.
‘Failure to act and a consequential phishing attack could see huge consequences for our national security.’
The Cabinet Office was contacted for comment.