Personally, I do not go around hunting for funny things - they just find me, or I find them whilst looking for innocent content. Last weekend I was looking for SELT (Secure English Language Tests) which the British Council have information on, and I got more than I bargained for on a search result. It took a few looks to convince myself what I saw was actually related to The British Council’s main domain; britishcouncil.org.
For years I have known sub-domains are a great source of free open intelligence and few firms actually manage them well. What is a sub-domain? webmail.domain.com. Domain.com would be a company and the webmail. element gives you access to their webmail server. Tonnes of stuff has sub-domains. FTP servers, file transfer servers, VPN servers, Wi-Fi captive portals, finance applications and the biggest boo-boo in my view - test sites which are built (and forgotten about) before an application is launched.
Hackers love sub-domains. Why? Few companies actually firewall them off so you can access them from anywhere. OAT, UAT, Dev, Staging are common words/acronyms you will see like financeuat.domain.com. There are many legal free/paid online tools to find them and British Council have close to 1000 - I found this out without breaching the CMA (Computer Misuse Act 1990). In this case it is an UAT (user acceptance testing) sub-domain which is the problem.
That is enough tech stuff and now on to the funny stuff.
1 of 2. A very innocent search shows nothing interesting till you scroll down a little.
2 of 2. Halfway down the first results page the results get really weird.
The frontpage of the website - German language. Many categories are present, in different European languages and even non-explicit content is present.
AVG flags up most pages and most links go to a .ru adult dating site. On top of having adult content associated with their brand, they also are potentially sending internet users to dangerous sites.
1 of 2. Quick DNS check shows the A record IP address of the sub-domain.
2 of 2. IP is owned by Microsoft Azure and an Azure address is also shown.
One of the many non-innocent searches out there for British Council.
What do I think happened?
Either the server in question was hacked or the IP address linked to their sub-domain was released and is being used by someone else, but they did not update their DNS. Perhaps the latter.
The moral of the story?
In-tangible asset management. Keep a list of all your domains, sub-domains, IP addresses and servers. Frequently go through the list and bin what you do not need anymore. Lastly firewall everything you do need.
British Council's Response
On the 7th and 8th contact was made by Twitter and email (two press managers). One press manager replied the next day and Twitter was more swift. By Friday afternoon the sub-domain was gone though as of Mon 11th the Azure sub-domain is still up.
"The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The privacy and security of personal information is paramount. Upon becoming aware of the incident, we took immediate action to address the issue. Having investigated the matter, we can confirm that no British Council data or systems were compromised. We will report the incident to the appropriate authorities as required."
On top of British Council a major US charity had the same issue and I contacted them as well.