Threat actors are stealing money from a CMS editor that was discontinued 14 years ago to sabotage education and government organizations around the world and contaminate search results with shady websites or scams.
Open redirections are when websites permit arbitrary redirection requests without proper verification or security checks, whether intentionally or accidentally due to a flaw in a website.
For instance, if a URL was set at https ://www.example .com/ ?redirect=< ,url> that a user could change to their own, it would be regarded as an open redirect.
Attackers use these open redirects to defraud, distribute malware, or trick users while they appear to be from legitimate domains using them. The URLs may be able to bypass security product URL filters because they are hosted on trusted domains.
Additionally, search engine crawlers use a trusted domain to rank malicious URLs higher for specific queries and index the redirects and list them  in Google Search results.
Open redirect URLs can remain active and visible in search results for a while before being flagged for removal because they do not directly host the malicious content but simply point to it.
However, many businesses, including Google and , including Microsoft, do not view open redirections as flaws and may not fix them unless they cause a greater level of vulnerability.
outdated plugins are targeted
After seeing Google Search results for” Free V Bucks” ( Fortnite in-game currency ) generators hosted on university websites, cybersecurity researcher @g0njxa  discovered the malicious redirect campaign.
The attackers ‘ use of open redirect requests is related to FCKeditor, a once-popular web text editor that enables users to edit HTML content directly from a web page.
CKEditor was released in 2009 after being significantly renamed and significantly rebranded. It uses a more contemporary codebase, provides better usability and compatibility with contemporary web standards, and actively supports its developer.
The various organizations that are the subject of this campaign are listed in the a  Twitter thread, g0njxa.com, which includes MIT, Columbia University, Universitat de Barcelona, Auburn University, University of Washington, Purdue, Tulane, Universidad Central del Ecuador, and the University of Hawaii.
The campaign also targets government and corporate websites, including Yellow Pages Canada, Virginia’s government website, Austin, Texas’s government site, and Spain’s government site, which use the dated FCKeditor plugin.
According to the tests conducted by BleepingComputer, the compromised FCKeditor instances use both static HTML and redirects to malicious websites.
The search engine is poisoned by the static HTML pages that appear under the legitimate domain.
For instance, one of the Google links points to the FCKeditor instance on the aum. a tinnitus remedy blog that appears to be an actual news article.
The article is intended to promote other pages ‘ content on the AUM website’s compromised FCKeditor instance so that Google can index the pages. The threat actors are likely to switch out these pages for redirects to malicious websites once they are ranked in search engines.
Source: BleepingComputer
Other URLs in this campaign will merely sabotage FCKeditor to point people to fake news websites, phishing websites, phishing websites, hacking assistance websites, or obtrusive browser extensions.
The software maker responded to the report from the open redirects campaign on X, stating that FCKeditor has been deprecated since 2010 and that no one should use it any longer.
Unfortunately, it’s not uncommon to see government and university websites using outdated software, especially one that has been around for a while, perhaps for more than 13 years.
Similar campaigns were run by threat actors in the past to redirect users to fake OnlyFans and adult websites using open redirects on government websites.