Cybercriminals are increasingly using 1.usa.gov links in their spam campaigns to trick users into thinking the links lead to genuine US government Web sites. How are they pulling it off? It turns out this comes down to a simple loophole in Bit.ly links.

Here’s how USA.gov short URLs are described by the US government:

Now, whenever anyone uses bitly to shorten a URL that ends in .gov or .mil, they will receive a short, trustworthy 1.USA.gov URL in return. To create a 1.USA.gov URL, simply go to bitly.com, paste in a long .gov or .mil URL, and click shorten. There’s no need to log in.

As Symantec points out, however, spammers can use an open-redirect vulnerability to set up a 1.usa.gov URL which ends up taking the victim to a spam website. Therefore, something like 1.usa.gov/…/Rxpfn9 takes you to labor.vermont.gov/LinkClick.aspx?link=[spam site] which then redirects you to the spam site in question.

From there, spammers can make the spam site look more legitimate by designing it to look like a government Web page. Any links included therein will of course lead to spam, or even worse, malware.

Since the 1.USA.gov Data Web page can let you know the number of clicks on a 1.usa.gov URL, Symantec could dig deeper into a recent spam campaign. The security company found that is a recent phenomenon: in the last week, over 43,049 clicks were made through 1.usa.gov shortened URLs to 10 spam domains. Unsurprisingly, most of them came from the US, according to the firm’s analysis:

In addition to volume, the data also provides some insight into the locations of the clicks. 36,664 of 43,049 spam clicks had a country code associated with them. There were 124 countries identified. The top four countries on a daily basis were the United States, Canada, Australia, and Great Britain. In aggregate, the United States made up the biggest slice with 61.7 percent of the clicks

This is a perfect example of why you should never blindly click on a link, even if it appears to be legitimate. If you can help it, only navigate to websites manually, and don’t click on links that are shared with you unless you absolutely know what they are.

Image credit: Martyn E. Jones

Read next: GitHub hit by DDoS attack second day in a row