.jpg "A Sprawling Bot Network Used Fake Porn to Fool Facebook")
A Sprawling Bot Network Used Fake Porn to Fool Facebook
In November 2021, Tord Lundström, the technical director at Swedish digital forensics nonprofit Qurium Media, noticed something strange. A massive distributed denial of service (DDoS) attack was targeting Bulatlat, an alternative Phillippine media outlet hosted by the nonprofit. And it was coming from Facebook users.
Lundström and his team found that the attack was just the start of it. Bulatlat had become the target of a sophisticated Vietnamese troll farm that had captured the credentials of thousands of Facebook accounts and turned them into malicious bots to target the credentials of yet more accounts to swell its numbers.
The volume of this attack was staggering even for Bulatlat, which has long been the target of censorship and major cyberattacks. The team at Qurium was blocking up to 60,000 IP addresses a day from accessing Bulatlat’s website. “We didn’t know where it was coming from, why people were going to these specific parts of the Bulatlat website,” says Lundström.
When they traced the attack, things got weirder still. Lundström and his team found that requests for pages on Bulatlat’s website were actually coming from Facebook links disguised to look like links to pornography. These scam links captured the credentials of the Facebook users and redirected the traffic to Bulatlat, essentially executing a phishing attack and a DDoS attack at the same time. From there, the compromised accounts were automated to spam their networks with more of the same fake porn links, which in turn sent more and more users careering toward Bulatlat’s website.
