In Nov 2021, Tord Lundström, the technical director of the Swedish digital forensic nonprofit Qurium Media, noticed something strange. A massive DDoS (Distributed Denial of Service) attack targeted Bulatlat, an alternative Philippine media outlet hosted by the nonprofit. And it came from Facebook users.
Lundström and his team found that the attack was just the beginning. Bulatlat had been targeted by a sophisticated Vietnamese troll farm that stole the credentials of thousands of Facebook accounts and turned them into malicious bots to target the credentials of even more accounts to increase the number.
The volume of this attack was staggering, even for Bulatlat, which has long been the target of censorship and major cyber-attacks. Qurium’s team blocked up to 60,000 IP addresses per day from accessing Bulatlat’s website. “We didn’t know where it came from, why people went to these specific parts of the Bulatlat website,” Lundström says.
When they followed the attack, things got even weirder. Lundström and his team found that requests for pages on Bulatlat’s website actually came from Facebook links disguised to look like links to pornography. These scam links captured the Facebook users’ credentials and redirected traffic to Bulatlat, essentially performing a phishing attack and a DDoS attack simultaneously. From there, the compromised accounts were automated to spam their networks with more of the same fake porn links, which in turn sent more and more users to Bulatlat’s website.
Although Facebook parent company Meta has systems in place to detect phishing scams and problematic links, Qurium discovered that the attackers were using a “bouncing domain”. This meant that if Meta’s detection system tested the domain, it would link to a legitimate website, but if a regular user clicked on the link, they would be redirected to the phishing site.
After months of research, Qurium was able to launch a Vietnamese company called Mac Quan Inc. identify that some domain names had registered for the phishing sites. Qurium estimates that the Vietnamese group had stolen the credentials of more than 500,000 Facebook users from more than 30 countries who used about 100 different domain names. More than 1 million accounts are believed to be targeted by the bot network.
To further circumvent Meta’s detection systems, the attackers used “residential proxies”, where traffic was routed through an intermediary in the same country as the stolen Facebook account – normally a local cell phone – to make it appear as if the login came from a local IP address. “Anyone from anywhere in the world can then access these accounts and use them for whatever they want,” says Lundström.
A Facebook page for “Mac Quan IT” states that the owner is an engineer at the domain company Namecheap.com and includes a post dated May 30, 2021, where it advertised likes and followers for sale: 10,000 yen ($70) for 350 likes and 20,000 yen for 1,000 followers. WIRED has contacted the email added to the Facebook page for comment, but has not received a response. Qurium further traced the domain name to an email registered in the name of a person named Mien Trung Vinh.