Thursday 4 October 14:00 - 14:30, Green room
Masarah Paquet-Clouston (GoSecure)
There is no doubt that there has been an increasing interest in understanding the industry of social media fraud (SMF), which is the process of creating fake 'likes' and 'follows' on social networks, and its potential deceptive capabilities. This paper explores an undocumented segment of this industry: wholesaling, from botnet supply operations to bulk reselling.
To begin, the paper presents an undisclosed feature of Linux/Moose, an IoT botnet conducting SMF. Linux/Moose infects devices in order to use them as proxies to relay traffic to social networks. Its architecture includes seven whitelisted IP addresses that can push traffic through those proxies, a feature reminiscent of a reseller model. To understand the purpose of each IP address, we analysed the traffic fingerprints left by each of them on the systems we infected, including TLS handshake metadata, User-Agents, timestamps, the HTTP query and parameters, account activity and others. Using data visualization methods, we uncovered the value of these whitelisted IPs, which was not what we anticipated.
Then, we collected information on bulk reseller panels, the direct working partners of the botnet operators. We gathered information related to each panel's characteristics, such as WHOIS data, certificate information, a fingerprint of the web application (framework, programming language, web container/server), IP addresses, HTML content, etc. We clustered the data based on the panel's features, allowing us to conclude that only a small number of actors are behind bulk reselling.
The paper provides: