A Sprawling Bot Network Used Fake Porn to Fool Facebook

The technical director at Qurium Media noticed something strange. An alternative Phillippine media outlet was the target of a massive distributed denial of service attack. It was coming from people on the social networking site.

The attack was just the beginning, according to Lundstrm. A sophisticated troll farm in Vietnam had captured the credentials of thousands of Facebook accounts and turned them into malicious bots to target the accounts of more and more people.

The attack was so large that it was the target of major cyberattacks in the past. The team at Qurium blocked tens of thousands of internet addresses from accessing the website. Lundstrm said they didn't know where it came from or why people were going to certain parts of the website.

Things got more weird when they traced the attack. The requests for pages on the website were coming from Facebook links that looked like pornography, according to Lundstrm. The scam links took the credentials of the Facebook users and sent them to a fake website, which was then used to launch a phish attack and a denial of service attack. From there, the compromised accounts were automated to spam their networks with more of the same fake porn links, which in turn sent more and more users to the site.

Qurium found that the attackers were using a "bouncing domain." If Meta were to test the domain, it would link out to a legitimate website, but if a regular user clicked on the link, they would be taken to a phish site.

Qurium was able to identify the company that registered some of the domain names that were used in the scam. Qurium estimates that the Vietnamese group has captured the credentials of up to half a million Facebook users from more than 30 countries. Over one million accounts have been targeted by the bot network.

The attackers were able to circumvent Meta's detection systems by using residential proxies to route traffic to a country where the account was stolen. The accounts can be accessed by anyone from anywhere in the world.

The owner of the Facebook page is an engineer at the domain company Namecheap.com and it advertised likes and followers for sale in May of 2021. WIRED tried to get in touch with the email attached to the Facebook page, but didn't hear back. Qurium traced the email address to Mien Trung Vinh.