UK Environment Agency website used to send people to fake porn sites

UK Environment Agency website used to send people to fake OnlyFans dating sites

Image:
UK Environment Agency website used to send people to fake OnlyFans dating sites

Threat actors exploited an open redirect available on the site

The official website of the UK's Department for Environment, Food & Rural Affairs (DEFRA) had an open redirect that threat actors abused to send visitors to numerous porn sites, including fake OnlyFans adult dating websites.

Redirects are valid URLs on website web addresses that automatically reroute users from the original site to another URL, usually at an external site. Anyone can modify an open redirect, enabling them to set redirects from a trustworthy website to any website they like.

This can be problematic. Threat actors may take advantage of open redirection to make trustworthy links appear in search results and route users to websites they control, where they can display phishing forms or deliver malware.

Researchers at Pen Test Partners last week spotted the malware campaign that used the open redirect on DEFRA's river conditions website.

In a blog post, researcher Adam Bromiley said that they discovered an open redirection DEFRA website, which appeared via a Google search for SoC (hardware System on Chip) datasheets.

Below is an example of this redirection:

http://riverconditions.environment-agency.gov.uk/relatedlink.html?class=link\\&link=https://pentestpartners.com

According to BleepingComputer, users who clicked on the 'riverconditions.environment-agency.gov.uk/relatedlink.html' link were eventually sent to a number of phoney porn websites, including 'kap5vo[.]cyou', 'https://rvzqo.impresivedate\\[.]com', and others.

When a visitor initially enters the rvzqo.impresivedate[.]com website, it shows a large animated OnlyFans logo, followed by a bogus dating site.

All these bogus OnlyFans websites ask users a series of questions about the kind of "date" they are seeking before re-directing them again to adult "cheating" websites.

The researchers said they tried to use the HackerOne programme to confidentially inform DEFRA about the vulnerability, but since DEFRA is not a member of that programme, there was a 24-hour lag between discovering the open redirect and reporting it to the appropriate official at the agency.

About 48 hours after Pen Test Partners submitted their complaint, the abused DEFRA domain at "riverconditions.environment-agency.gov.uk" was taken down and its DNS records were deleted.

Interestingly, a second researcher discovered the same problem at the same time through unusual Google search results and made the issue public on Twitter.

/cdn-cgi/l/email-protection
/cdn-cgi/l/email-protection

The server was running Windows 2003 and may have exposed RDP, according to the Pen Test Partners researchers.

"We are aware of the technical issues with the River Thames conditions website. Our teams have worked quickly to move the content to a new site which the public can now easily access," a UK Environment Agency spokesperson said.

The researchers at Pen Test Partners advise against using outdated web servers to host government websites.

They also recommend admins to check for open redirects, and make it simple for vulnerabilities to be disclosed.