Redirected, Taken Over, & Defaced: Legitimate Hong Kong Websites Abused to Serve Users to Online Gambling and Adult Content

Posted on by darklabhk

Per our continuous monitoring, Dark Lab has tracked multiple open redirection, site takeovers, and defacement cases weaponising Hong Kong organisations’ websites. Typically exploited to serve users to adult content, online gambling, and/or phishing sites, these attacks pose significant risks to organisations – including reputational damage, loss of user trust, and potential legal implications. In cases whereby attackers achieve internal access, organisations may face added risks given malicious actors’ unauthorised access to victims’ internal environments – providing opportunity to further perform malicious activities such as web shell deployment, data exfiltration, and more.

We observe this emerging trend reflected via open-source intelligence, with various reports of Search Engine Optimisation (SEO) manipulation abusing legitimate sites have been weaponised to direct users to Indonesian gambling sites. In addition, we have detected numerous newly registered domains promoting similar gambling content at scale. Per our ongoing young domain monitoring, we observed over 190 newly registered domains containing the keyword ‘slot’ in a single day. This highlights the sheer volume at which Indonesian gambling-themed sites are being distributed for financial gain.

As threat actors continuously adapt their means to attacks, it is crucial that organisations remain wary of the latest threats and harden Internet-facing assets accordingly – particularly those built on technologies frequently targeted by malicious actors.  

This blog is part of a two-part series – stayed tuned for our deep dive into the technical details and how you can defend against these emerging threats.

Hong Kong Websites Abused for SEO Poisoning

SEO poisoning, otherwise known as SEO manipulation, is a technique in which malicious actors manipulate search engine rankings to make their attacker-controlled websites appear at the top of search results. Since late 2024, we have observed the emergence of open redirection and web defacement attacks against legitimate Hong Kong websites, weaponizing the trusted site to push online gambling-related and adult content. This further led to our discovery and subsequent monitoring of subdomain takeovers geared towards delivering similar content.

In Q1 2025, we tracked 34 cases of open redirection attacks – whereby malicious actors exploited (sub)domains with insufficient validation to craft URLs that redirect users to their malicious site(s):

Note: recent tracking indicates heightened targeting against non-commercial sectors 

Similarly, throughout Q1 2025, we tracked 38 cases of web defacements against Hong Kong. Rather than redirecting unsuspecting users to an untrusted, third-party website – the attacker exploits vulnerable web servers to display their malicious content directly on the victim’s site.  

Case Study: Hong Kong Not-for-Profit Webpage Compromised for Defacement AND Open Redirection to Online Gambling Content

In mid-March, we observed a case in which a local not-for-profit’s subdomain was compromised to both deface the webpage with Indian online gambling content, and further redirect to their attacker-controlled site hosting similar gambling content. Investigation into the compromised subdomain revealed the likely root cause, being its susceptibility to various known PHP-related vulnerabilities.

Figure 1: Impacted server observed to be vulnerable to various PHP-related vulnerabilities, allowing for unsafe redirects
Figure 2: Defacement of not-for-profit subdomain to serve online gambling and sports betting content
Figure 3: Open Redirection of same subdomain to Indian online gambling site

Why is Asia at the centre of these attacks?

Whilst we focused our tracking on abuse of Hong Kong websites, we have observed multiple recent reports of similar cases indicating an ongoing, regional abuse of websites across the wider Asia Pacific. These campaigns typically redirect users to online gambling or adult content sites. But why?

Indonesian Gambling Sites

Multiple cases we, as well as public reporting observed, served users to online gambling sites intended for the Indonesian audience. We posit this correlates to government efforts to tackle online gambling in the country following the recent October 2024 election, evidenced by their recent implementation of artificial intelligence (AI) to block illegal gambling content.[1],[2],[3]

Despite gambling bans since 1993, Indonesia faces a staggering gambling problem, largely amplified through online gambling. In 2023, the country was reported to experience an approximate loss of $30.7 billion due to online gambling – distributed across four (4) million online gamblers, 11% of which were under the age of twenty (20).[4] We posit that the SEO manipulation observed in the aforementioned cases is a means in which the online gambling operators may counteract their loss of income as a result of law enforcement takedown.

This was (and continues to be) reflected in the case of Philippines’ ban of Philippine Offshore Gaming Operators (POGOs) in late 2023. Following the demise of the POGO industry, POGO operators swiftly repurposed their infrastructure and personnel to conduct various illicit scam activities.[5],[6] In addition to the operators themselves, it was suspected that other opportunistic threat actors jumped on the bandwagon; establishing phishing sites masquerading as online gambling operators to prey on vulnerable individuals. As we projected in our 2025 Cyber Threat Landscape Predictions blog, we anticipate a continued growth in SEO campaigns pushing online gambling phishing sites amidst regional crackdown.[7]

Another angle to consider, reflected in both the cases of Indonesia and the Philippines, is that most online gambling operators are from abroad. Capitalising on the “grey area” of the laws in place, these offshore operators may bypass legal implications whilst still serving their gambling content to Indonesian and Philippine users. We observe discussion on how to achieve financial gain through this ‘loophole’ both through legitimate affiliate marketing platforms[8], and dark web discussions.

Figure 4: Dark web discussion seeking advice for SEO strategy and Digital Marketing for “Indonesia in which casino and gambling is banned”
Figure 5: Dark web discussion providing “iGaming SEO tips for your casino”

What was further observed throughout our monitoring is the frequent use of Google Tag Manager (GTM) as a driver to further enhance the SEO ranking of these online gambling sites. Operating as a free management platform intended for marketers to manage and configure marketing tools – such as AdSense and Google Analytics – it is no surprise that the actor(s) behind these sites abuse the legitimate platform to expand the visibility of their sites, and by extension increase their likelihood of return on investment.[9]

Figure 6: Google Tag Manager tag observed embedded within online gambling sites

Adult Content

The motives behind the regional targeting to redirect users to adult content appears less obvious. Some factors we suspect play a role in Asia’s heightened targeting is the high Internet usage, varied levels of Internet governance in the region, and cultural factors that may restrict access to such content.

We posit a number of potential motivations could be behind these attacks:

  • SEO Manipulation: By exploiting redirects, malicious actors may manipulate search engine rankings to drive more (inorganic) traffic to their sites.
  • Traffic Monetisation: By redirecting users to adult content, malicious actors may generate revenue through affiliate programs or ad networks that pay for traffic.
  • Malware Distribution: The malicious sites disguised as adult content may lead to malware infections (e.g., drive-by downloads, exploit kits, etc.).
  • Phishing: The adult content site may contain malicious advertising (malvertising) or embedded links, which may further redirect the user to phishing sites intended to collect their sensitive information.
  • Social Engineering Scams: A previous campaign saw adult content sites further redirect users to dating sites, intended to perform romance scams.[10]

Conclusion

SEO poisoning poses an active and increasing threat. Whilst in most cases, risks are primarily threats to reputational damage, loss of user trust, and potential legal implications, we do observe multiple instances in which attackers may inflict further harm given their internal access to victims. In these cases, they not only may perform open redirects or defacements to present their malicious content, but have the opportunity to deploy web shells, perform lateral movement, and means of extortion such as data exfiltration or ransomware deployment.

The potential follow-on impact is evidenced in the widescale campaign leveraging DragonRank malware to target victims in Asia and Europe for SEO rank manipulation.[11] Whilst the primary goal of the abuses was to drive traffic to malicious sites, the threat actors further leveraged their unauthorised access to perform lateral movement and credential harvesting, likely for use in subsequent attacks.

As these campaigns amplify in speed and scale, it is crucial that organisations remain aware of these threats and implement robust security measures to minimise susceptibility to such attacks. This includes performing regular security audits to assess and uplift configurations. By staying vigilant and proactive, organisations can safeguard their reputation, maintain the trust of their users, and ensure that their brand is not weaponised to facilitate malicious activities.

Stay tuned for our Part Two, as we delve into the technical – breaking down how these techniques work, what vulnerabilities and technologies are often involved, and how you may defend against these ever-present threats!

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Leave a Reply