Full Report
Scammers are hijacking government websites to upload ads for “leaked” OnlyFans content. Thousands of copyright complaints from adult creators are helping people avoid malicious links.
Analysis Summary
# Incident Report: SEO Poisoning & Hijacking of Government Domains for Fraudulent Content
## Executive Summary
Malicious actors are hijacking official government and educational domains to host fraudulent advertisements for "leaked" OnlyFans content. These high-authority websites are being used to host PDFs and landing pages that redirect users to malicious or scam-oriented websites. Interestingly, the incident has triggered a massive wave of DMCA takedown requests from adult creators, which is inadvertently aiding in the removal of these compromised government pages from search engine results.
## Incident Details
- **Discovery Date:** Early 2024 (Ongoing reporting through July 2024)
- **Incident Date:** Ongoing
- **Affected Organization:** Multiple (including organizations in the US, UK, India, and others)
- **Sector:** Government (.gov), Education (.edu), and International (.int)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing
- **Vector:** Exploitation of vulnerabilities in Content Management Systems (CMS) or insecure file upload portals.
- **Details:** Scammers identify government and academic websites with poor security configurations or unpatched plugins to upload PDF files containing SEO-optimized keywords.
### Lateral Movement
- **Details:** Not explicitly detailed in the report, as the primary goal is "web-shell" style persistence or simple file hosting rather than deep network penetration.
### Data Exfiltration/Impact
- **Impact:** Abuse of domain reputation. Scammers leverage the "trust" of `.gov` and `.edu` domains to rank highly in Google search results for terms like "OnlyFans leaks."
### Detection & Response
- **Detection:** Identified by security researchers and adult content creators monitoring for copyright infringement.
- **Response Actions:** Adult creators are filing thousands of DMCA notices. Google is de-indexing the compromised URLs. Some government agencies are taking pages offline for remediation.
## Attack Methodology
- **Initial Access:** Exploiting misconfigured file upload forms or outdated CMS software (e.g., WordPress, Drupal).
- **Persistence:** Uploading persistent PDF files or hidden subdirectories that remain active until manually deleted by admins.
- **Defense Evasion:** Using legitimate high-authority domains to bypass spam filters and security software that typically trusts government infrastructure.
- **Discovery:** Automated scanning for "open" upload directories on government IPs.
- **Impact:** SEO poisoning/reputation hijacking. The compromised pages redirect users via embedded links to phishing sites or "premium" SMS scams.
## Impact Assessment
- **Financial:** Unknown; potential revenue for scammers via affiliate fraud and malware distribution.
- **Data Breach:** No known sensitive citizen data breached; the impact is primarily on system integrity and resource abuse.
- **Operational:** Disruption of government web services as pages are taken down for cleaning.
- **Reputational:** High. Compromised government sites hosting adult-themed scam content undermines public trust in official digital services.
## Indicators of Compromise
- **Network Indicators:** Links pointing to known scam domains such as `onlyfans-leaks[.]com` (defanged) or redirectors like `bit[.]ly` variations.
- **File Indicators:** Large volumes of PDF files uploaded to unusual directories (e.g., `/uploads/`, `/files/`, `/assets/`) containing pornographic keywords and outbound hyperlinks.
- **Behavioral Indicators:** Sudden spikes in traffic to obscure subdirectories on government domains originating from search engine queries for adult content.
## Response Actions
- **Containment:** Removal of unauthorized PDF files and landing pages.
- **Eradication:** Patching CMS vulnerabilities and disabling public file upload permissions where not required.
- **Recovery:** Filing counter-requests with search engines to restore domain reputation once cleaned.
## Lessons Learned
- **Key Takeaways:** Even "trusted" domains are targets if they provide a platform for SEO manipulation.
- **Security Gaps:** Lack of monitoring for unauthorized file uploads on public-facing government servers.
- **The "DMCA Utility":** Copyright law is being used as a grassroots tool for incident response when official channels are slow to react.
## Recommendations
- **Strict File Upload Policies:** Implement rigorous validation for all file uploads; ensure files are stored in non-executable directories.
- **WAF Deployment:** Use Web Application Firewalls to block common CMS exploit attempts.
- **Regular Audits:** Conduct periodic scans of government subdirectories for unexpected file types (PDFs/HTML) that do not align with the site’s purpose.
- **Monitoring:** Set up Google Search Console alerts for keywords unrelated to government business to detect SEO hijacking early.