Cyber Incident Victim: Department for Environment, Food & Rural Affairs
Date:
Jan 2023
Location:
United Kingdom
Summary
Threat actors exploited an open redirect vulnerability on a UK government department's river conditions website to redirect visitors to fraudulent OnlyFans-themed adult dating sites, aiming to harvest personal information or gain subscribers. Security researchers identified malicious links appearing in search results that abused the legitimate domain to funnel users through multiple redirects to phishing platforms impersonating the content service. The compromised environment-agency.gov.uk subdomain was taken offline within two days of reporting, with content migrated to an alternative official site. This incident reflects recurring abuse of government web infrastructure vulnerabilities to facilitate credential theft and malware distribution through deceptive redirects.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early January 2023, threat actors exploited an open redirect vulnerability on the United Kingdom's Department for Environment, Food & Rural Affairs (DEFRA) website to redirect visitors to fraudulent OnlyFans-themed adult dating sites. The attackers manipulated a legitimate URL on the 'riverconditions.environment-agency.gov.uk' subdomain, specifically abusing the '/relatedlink.html' endpoint with parameters that pointed to external malicious domains. This allowed them to create deceptive links appearing as official U.K. government resources while redirecting users to phishing platforms impersonating OnlyFans, a subscription-based content service. The fake sites, hosted on domains like 'kap5vo.cyou' and 'rvzqo.impresivedate[.]com', displayed OnlyFans branding and prompted users to provide personal information under the guise of dating preferences, ultimately funneling them to adult "cheating" sites. Security researchers at Pen Test Partners discovered the campaign on or around January 3, 2023, when an analyst noticed the open redirect during a routine Google search for hardware documentation. The malicious links had been indexed by Google, appearing in search results promoting adult content. Network traffic analysis revealed multiple redirect hops before landing on the final fraudulent domains, demonstrating the attackers' deliberate obfuscation tactics.
Pen Test Partners reported the vulnerability to DEFRA, though a 24-hour delay occurred due to the Environment Agency's absence from the HackerOne program used by most '.gov.uk' domains for security disclosures. Approximately 48 hours after receiving the report, DEFRA disabled the affected subdomain and removed its DNS records, rendering the site inaccessible. The agency migrated legitimate river condition monitoring content to a new GOV.UK platform to maintain public access. A DEFRA spokesperson confirmed awareness of the technical issues and emphasized their rapid response to secure the service. Concurrently, independent researchers publicly disclosed the vulnerability via Twitter, highlighting its ongoing exploitation. Historical context revealed this was not an isolated incident, as similar open redirect abuses had targeted U.S. government domains like weather.gov and HHS.gov in 2020 to distribute malware or phishing content. The DEFRA incident underscored persistent risks associated with unsecured redirect mechanisms on trusted government platforms.