Uncovering the wholesale industry of social media fraud: from botnet to bulk reseller panels

Thursday 4 October 14:00 - 14:30, Green room

Masarah Paquet-Clouston (GoSecure)

There is no doubt that there has been an increasing interest in understanding the industry of social media fraud (SMF), which is the process of creating fake 'likes' and 'follows' on social networks, and its potential deceptive capabilities. This paper explores an undocumented segment of this industry: wholesaling, from botnet supply operations to bulk reselling.

To begin, the paper presents an undisclosed feature of Linux/Moose, an IoT botnet conducting SMF. Linux/Moose infects devices in order to use them as proxies to relay traffic to social networks. Its architecture includes seven whitelisted IP addresses that can push traffic through those proxies, a feature reminiscent of a reseller model. To understand the purpose of each IP address, we analysed the traffic fingerprints left by each of them on the systems we infected, including TLS handshake metadata, User-Agents, timestamps, the HTTP query and parameters, account activity and others. Using data visualization methods, we uncovered the value of these whitelisted IPs, which was not what we anticipated.

Then, we collected information on bulk reseller panels, the direct working partners of the botnet operators. We gathered information related to each panel's characteristics, such as WHOIS data, certificate information, a fingerprint of the web application (framework, programming language, web container/server), IP addresses, HTML content, etc. We clustered the data based on the panel's features, allowing us to conclude that only a small number of actors are behind bulk reselling.

The paper provides:

  • An in-depth analysis of an undisclosed feature of a botnet using various traffic fingerprints.
  • A hands-on evaluation, through clustering analysis of panels' characteristics, of the number of potential key actors in bulk reselling.
  • A first review of the wholesale industry of SMF, one that will become a reference for actors willing to curb this illicit activity, from law enforcement agencies to policy makers and cybersecurity professionals.



Other VB2018 papers


Masashi Nishihata (Citizen Lab)
John Scott Railton (Citizen Lab)

Analysing compiled binaries using logic

Thais Moreira Hamasaki (F-Secure)

From Hacking Team to hacked team to…?

Filip Kafka (ESET)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.