The Department for Environment, Food & Rural Affairs (DEFRA) website in the U.K. was the victim of a redirect attack. Cybercriminals used an open redirect to send visitors to fake OnlyFans pages.
What Happened
Threat actors exploited an open redirect that appeared to be a valid UK government URL but instead routed visitors to the bogus OnlyFans dating site.
This is an example of a redirect, via BleepingComputers: “http://riverconditions.environment-agency.gov.uk/relatedlink.html?class=link&link=https://pentestpartners.com”.
Redirects by themselves are legitimate URLs on sites that automatically send users to another website, and an open redirect can be modified by anyone.
In this case, hackers created bogus OnlyFans sites for malicious purposes like ‘kap5vo.cyou’, ‘https://rvzqo.impresivedate[.]com’, and more. They choose a widely used service that offers users access to adult content for a subscription so they could steal users’ personal information.
By abusing open redirects, threat actors make sure that those links appear as legitimate ones in search results and send visitors to the phishing sites, created especially for this.
The Timeline of the Attack
The malicious campaign targeting DEFRA’s website was discovered on 3 January 2023, by Pen Test Partners.
These redirects were listed as Google search results promoting porn and adult site likely after being added to websites that were then indexed by Google’s indexing bots.
But it took the researchers another 24 hours to find the IT security person in DEFRA as the agency “hasn’t followed wider UK government policy on vulnerability disclosure”.
Roughly 48 hours after the disclosure the abused domain was taken offline, its DNS records erased, and the content moved to a new online location.
This is not the first time that open redirects on governmental sites are abused: in 2020 numerous U.S. government websites were abused, and in the same year an open redirect on HHS.gov was used to redirect visitors to fake COVID-19 sites that spread malware. In August 2022, open redirects on the Snapchat and American Express sites were also used in an attack.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.