Fake OnlyFans Dating Sites Abuse UK Environment Agency Open Redirect

Threat actors used an open redirect to send visitors to fake OnlyFans dating websites to divert them to the UK’s Department for Environment, Food & Rural Affairs.

OnlyFans, a subscription-based content service, allows paid subscribers to access private photos and videos of celebrities and other social media users.

Because it’s a popular site and its name is well-known, threats actors created fake OnlyFans adult dating websites to steal subscribers.

Abusive open redirection on DEFRA

Threat actors used an open redirect to fool visitors into a fake OnlyFans dating website. This looked suspiciously like the U.K government link.

Below is an example of such a redirect:

These URLs can be legitimate and redirect visitors from one URL to another, often at an external website.

For example, a website could have a redirect like, which, when clicked, automatically redirects the user to Google.

Anyone can modify an . This allows threat actors or scammers to make redirects to any legitimate website.

Threat actors can abuse these open redirects to cause legitimate links to appear on search results. These links will send users to malicious websites that display phishing messages or malware.

Analysts at Pen Test Partners discovered the malicious campaign that exploited DEFRA’s open redirect site for river conditions. They shared their findings to BleepingComputer.

Adam Bromiley, one my coworkers noticed an open redirect at the UK Environment Agency’s website on Tuesday afternoon. The Google search result showed it while he was searching for datasheets on SoC (hardware system on Chip).” This report from Pen Test Partners explained .

After being added to sites that had been indexed by Google, these redirects appeared in Google search results as promoting porn or adult websites.

Google search results with redirects to fake OnlyFans sites

Source: Pen Test Partners

As you can see from the network requests monitored by Fiddler, clicking on the ‘’ link led the visitors through a series of redirects that ultimately landed them on various fake adult sites, such as ‘’, ‘https://rvzqo.impresivedate[. You can also visit www.[.]com.

This redirection leads to An OnlyFans clone

Source: Pen Test Partners

For example, when the rvzqo.impresivedate[. When the rvzqo.impresivedate[.com] site opens for the first time, there is an animated OnlyFans logo followed by this fake dating website.

Fake OnlyFans dating site

Source: BleepingComputer

Fake OnlyFans websites require users to complete a number of questions about the “date” they want and then redirect them to adult “cheating” sites.

Although most sites accept security reports through HackerOne for their websites, the Environment Agency isn’t part of this program. There was a delay of 24 hours between the discovery of the open redirection and the reporting to the correct person at Defra.

The abused DEFRA domain at “” was taken offline, and its DNS records were removed approximately 48 hours after Pen Test Partners submitted their report. The website was not accessible at the time this is written.

, a second Google Search result shopper, noticed the exact same issue and reported it to Twitter.

BleepingComputer reached out to DEFRA regarding the redirect attack. They informed BleepingComputer that they were aware of technical problems and that they moved the content to a location that could still be accessed.

We are aware that technical problems with the River Thames Conditions website have been identified. “Our teams worked fast to transfer the content to a site that the public can access now,” said a U.K. spokesperson. BleepingComputer was informed by a spokesperson for the Environment Agency.

It isn’t new for adult phishing websites to be pushed by government-owned redirect sites.

A malicious SEO campaign used an such as to redirect users to porn sites in 2020.

A malicious campaign was also launched in , to redirect users to COVID-19 sites that propagated malware.

We also reported recently on hackers exploiting in order to direct visitors to Microsoft 365 phishing pages.