Jump to content
  • Fake OnlyFans dating sites abuse UK Environment Agency open redirect

    alf9872000

    • 359 views
    • 4 minutes
     Share


    • 359 views
    • 4 minutes

    Threat actors abused an open redirect on the official website of the United Kingdom's Department for Environment, Food & Rural Affairs (DEFRA) to direct visitors to fake OnlyFans adult dating sites.

     

    OnlyFans is a content subscription service where paid subscribers get access to private photos, videos, and posts from adult models, celebrities, and social media personalities.

     

    As it is a widely used site, and the name is recognizable, threat actors have created a series of fake OnlyFans adult dating sites to gain subscribers or steal people's personal information.

    Abusing open redirect on DEFRA

    As part of this malicious campaign, threat actors abused an open redirect at that looked like a legitimate U.K. government link but redirected visitors to the fake OnlyFans dating site.

     

    An example of this redirect is below:

    http://riverconditions.environment-agency.gov.uk/relatedlink.html?class=link&link=https://pentestpartners.com

    Redirects are legitimate URLs on website web addresses that automatically redirect users from the initial site to another URL, commonly at an external site.

     

    For example, a website could have a redirect like www.example.com/redirect/www.google.com, which, when clicked, automatically redirects the user to Google.

     

    An open redirect can be modified by anyone, allowing threat actors and scammers to create redirects from a legitimate site to any site they want.

     

    This allows threat actors to abuse open redirects and cause legitimate links to appear in search results that send visitors to websites under their control to display phishing forms or deliver malware.

     

    The malicious campaign abusing the open redirect on DEFRA's river conditions site was discovered last week by analysts at Pen Test Partners, who shared their findings with BleepingComputer.

     

    "On Tuesday afternoon, one of my colleagues Adam Bromiley noticed an open redirect on the UK’s Environment Agency web site. It popped up during a Google search whilst he was looking for SoC (hardware System on Chip) datasheets!," explained the report by Pen Test Partners.

     

    These redirects were listed as Google search results promoting porn and adult site likely after being added to websites that were then indexed by Google's indexing bots.

     

    google-search-result-fake-only-fan.jpg

    Google search results with redirects to fake OnlyFans sites
    Source: Pen Test Partners

     

    As you can see from the network requests monitored by Fiddler, clicking on the 'riverconditions.environment-agency.gov.uk/relatedlink.html' link led the visitors through a series of redirects that ultimately landed them on various fake adult sites, such as 'kap5vo.cyou', 'https://rvzqo.impresivedate[.]com', and more.

     

    redirection.jpg

    The redirection process leads to impressivedate.com, an OnlyFans clone
    Source: Pen Test Partners

     

    For example, when the rvzqo.impresivedate[.]com site is first opened, it displays a large animated OnlyFans logo, followed by the following fake dating site.

     

    fake-onlyfans-adult-dating-site.jpg

    Fake OnlyFans dating site
    Source: BleepingComputer

     

    These fake OnlyFans sites prompt the user to answer a series of questions regarding the type of "date" they are looking for and ultimately redirect them once again to adult "cheating" sites.

     

    While most '.gov.uk' sites accept security reports via HackerOne, the Environment Agency is not part of the program. Therefore, there was a 24-hour delay between finding the open redirect and reporting it to the right person at Defra.

     

    The abused DEFRA domain at "riverconditions.environment-agency.gov.uk" was taken offline, and its DNS records were removed approximately 48 hours after Pen Test Partners submitted their report. Unfortunately, the website is still unreachable at the time of writing this.

     

    At the same time, a second researcher noticed the same issue via Google Search results and publicly disclosed the issue on Twitter.

     

    BleepingComputer contacted DEFRA about the redirect attack and was told that the agency was aware of the technical issues and moved the content to a new location that can still be accessed.

     

    "We are aware of the technical issues with the River Thames conditions website. Our teams have worked quickly to move the content to a new site which the public can now easily access," a U.K. Environment Agency spokesperson told BleepingComputer.

     

    The abuse of government open redirect sites to push adult phishing sites is not new.

     

    In 2020, a malicious SEO campaign abused an open redirect on numerous U.S. government websites, such as weather.gov, to redirect visitors to porn sites.

     

    Another malicious campaign that year abused an open redirect on HHS.gov to redirect visitors to COVID-19 phishing sites that spread malware.

     

    More recently, we reported on attackers exploiting open redirects on the Snapchat and American Express sites to lead visitors to Microsoft 365 phishing sites.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...