In November 2021, Tord Lundström, technical director at the Swedish nonprofit Qurium Media, noticed something odd. A massive distributed denial of service (DDoS) attack has targeted Bulatlat, an alternative Philippine media hosted by the nonprofit. And it comes from Facebook users.
Lundström and his team Find that the attack was only the beginning of it. Bulatlat has been the target of a sophisticated Vietnamese troll farm that has taken over the login credentials of thousands of Facebook accounts and turned them into a malicious bot to target the logins of even more accounts. to increase its number.
The volume of this attack was astounding even for Bulatlat, which had long been the target of censorship and major cyber attacks. The team at Qurium blocked up to 60,000 IP addresses per day from accessing Bulatlat’s website. “We don’t know where it’s coming from, why people are going to these specific parts of the Bulatlat website,” Lundström said.
As they tracked down the attack, things still got weirder. Lundström and his team found that requests for pages on Bulatlat’s website actually came from Facebook links disguised to look like links to pornography. These phishing links collected Facebook users’ login credentials and redirected traffic to Bulatlat, essentially performing a phishing attack and a DDoS attack at the same time. Since then, the compromised accounts have been automatically spamming their networks with many of the same fake porn links, so more and more users are visiting Bulatlat’s website.
While Facebook’s parent company Meta has systems in place to detect phishing scams and questionable links, Qurium found that the attackers were using a “bounce domain” “. This means that if Meta’s detection system checks the domain, it will link to a legitimate website, but if a regular user clicks on the link, they will be redirected to the phishing site.
After months of investigation, Qurium was able to identify a Vietnamese company called Mac Quan Inc. registered several domains for phishing sites. Qurium estimates that the Vietnamese team obtained the login information of more than 500,000 Facebook users from more than 30 countries using about 100 different domains. It is thought that over 1 million accounts have been targeted by the bot network.
To bypass Meta’s detection systems, the attackers used a “residential proxy,” which routed traffic through an intermediary based in the same country as the stolen Facebook account — usually the local cell phone — to make it seem like the login is coming from a local IP address. “Anyone from anywhere in the world can access these accounts and use them for whatever they want,” says Lundström.
A Facebook page for “Mac Quan IT” states that its owner is an engineer with the domain company Namecheap.com and posted a post from May 30, 2021 where it advertised likes and people Follow for sale price: 10,000 yen ($70) for 350 likes and 20,000 yen for 1,000 followers. WIRED reached out to the email attached on the Facebook page for comment but did not receive a response. Qurium further traces this domain to an email registered with a person named Mien Trung Vinh.
