Danger actors mistreated an unbarred reroute into official site out of new Joined Kingdom’s Service to own Environment, Eating & Outlying Issues (DEFRA) so you can lead men and women to phony OnlyFans adult dating sites.
OnlyFans is actually a material membership solution in which paid back subscribers rating availability so you’re able to individual pictures, videos, and listings from adult models, celebrities, and social networking characters.
Since it is a popular webpages, additionally the name’s recognizable, possibilities actors have created a few bogus OnlyFans mature relationships sites to achieve website subscribers otherwise discount man’s personal data.
As an element of so it destructive venture, chances stars mistreated an open reroute at this appeared as if a beneficial legitimate You.K. regulators connect but rerouted individuals this new bogus OnlyFans dating site.
Redirects are legitimate URLs on website web addresses that automatically redirect users from the initial site to another URL, commonly at an external site.
An open redirect can be modified by anyone, allowing threat actors and scammers to create redirects from a legitimate site to any site they want.
This allows threat actors to abuse open redirects and cause legitimate links to appear in search results that send visitors to websites under their control to display phishing forms or deliver malware.
The malicious campaign abusing the open redirect on DEFRA's river conditions site was discovered last week by analysts at Pen Test Partners, who shared their findings with BleepingComputer.
"On Tuesday afternoon, one of my colleagues Adam Bromiley noticed an open redirect on the UK's Environment Agency web site. It popped up during a Google search whilst he was looking for SoC (hardware System on Chip) datasheets!," explained the report by Pen Test Partners.
These redirects were listed as Google search results promoting porn and adult site likely after being added to websites that were then indexed by Google's indexing bots.
Google search results with redirects to fake OnlyFans sitesSource: Pen Test Partners
As you can see from the network requests monitored by Fiddler, clicking on the 'riverconditions.environment-agency.gov.uk/relatedlink.html' link led the visitors through a series of redirects that ultimately landed them on various fake adult sites, such as 'kap5vo.cyou', ' and more.
Bogus OnlyFans online dating sites discipline British Environment Service discover redirect
The redirection process leads to impressivedate, an OnlyFans cloneSource: Pen Test Partners
For example, when the rvzqo.impresivedate[.]com site is first https://kissbrides.com/no/blogg/hvorfor-gifte-amerikanske-menn-utenlandske-bruder/ opened, it displays a large animated OnlyFans logo, followed by the following fake dating site.
Fake OnlyFans dating siteSource: BleepingComputer
These fake OnlyFans sites prompt the user to answer a series of questions regarding the type of "date" they are looking for and ultimately redirect them once again to adult "cheating" sites.
While most '.gov.uk' sites accept security reports via HackerOne, the Environment Agency is not part of the program. Therefore, there was a 24-hour delay between finding the open redirect and reporting it to the right person at Defra.
The abused DEFRA domain at "riverconditions.environment-agency.gov.uk" was taken offline, and its DNS records were removed approximately 48 hours after Pen Test Partners submitted their report. Unfortunately, the website is still unreachable at the time of writing this.
At the same time, a second researcher noticed the same issue via Google Search results and publicly disclosed the issue on Twitter.
BleepingComputer contacted DEFRA about the redirect attack and was told that the agency was aware of the technical issues and moved the content to a new location that can still be accessed.
"We are aware of the technical issues with the River Thames conditions website. Our teams have worked quickly to move the content to a new site which the public can now easily access," a U.K. Environment Agency spokesperson told BleepingComputer.
In 2020, a malicious SEO campaign abused an open redirect on numerous U.S. government websites, such as , to redirect visitors to porn sites.
Another malicious campaign that year abused an open redirect onto redirect visitors to COVID-19 phishing sites that spread malware.
More recently, we reported on attackers exploiting open redirects on the Snapchat and American Express sites to lead visitors to Microsoft 365 phishing sites.
"Sky Tour" company has successfully been working in the tourist market of Tajikistan since February 2011. Despite a relatively short period of activity, the company has thousands of organized trips and satisfied customers. We provide a wide range of tourist services, from excursions around Tajikistan, to round-the-world travel. We organize travel for every taste and depending on the wishes, we select the most ideal variant for the tourist. Managers of the company "Sky Tour" are highly qualified professionals, experts in their work and work execution is impeccable. We track every stage of the journey of our tourists and in the event of unforeseen situations we quickly resolve the issues that have arisen. "Sky Tour" company successfully cooperates with tour companies in all regions of Tajikistan, and many Tour Operators in all corners of the world which gives an opportunity to expand the range of services and choice of countries for recreation. Our goal is to make your trip highly comfortable, safe, and interesting. "Sky Tour" company is a member of the TATO (Tajik Association of Tour Operators) and is accredited with the Ministry of Foreign Affairs of the Republic of Tajikistan.