A Sprawling Bot Network Used Fake Porn to Fool Facebook

In November 2021, Tord Lundström, the technical director at Swedish digital forensics nonprofit Qurium Media, noticed something strange. A massive distributed denial of service (DDoS) attack was targeting Bulatlat, an alternative Phillippine media outlet hosted by the nonprofit. And it was coming from Facebook users.

Lundström and his team found that the attack was just the start of it. Bulatlat had become the target of a sophisticated Vietnamese troll farm that had captured the credentials of thousands of Facebook accounts and turned them into malicious bots to target the credentials of yet more accounts to swell its numbers.

The volume of this attack was staggering even for Bulatlat, which has long been the target of censorship and major cyberattacks. The team at Qurium was blocking up to 60,000 IP addresses a day from accessing Bulatlat’s website. “We didn’t know where it was coming from, why people were going to these specific parts of the Bulatlat website,” says Lundström.

When they traced the attack, things got weirder still. Lundström and his team found that requests for pages on Bulatlat’s website were actually coming from Facebook links disguised to look like links to pornography. These scam links captured the credentials of the Facebook users and redirected the traffic to Bulatlat, essentially executing a phishing attack and a DDoS attack at the same time. From there, the compromised accounts were automated to spam their networks with more of the same fake porn links, which in turn sent more and more users careering toward Bulatlat’s website.

Though Facebook parent company Meta has systems in place to detect phishing scams and problematic links, Qurium found that the attackers were using a “bouncing domain.” This meant that if Meta’s detection system were to test the domain, it would link out to a legitimate website, but if a regular user clicked on the link, they would be redirected to the phishing site.

After months of investigation, Qurium was able to identify a Vietnamese company called Mac Quan Inc. that had registered some of the domain names for the phishing sites. Qurium estimates that the Vietnamese group had captured the credentials of upwards of 500,000 Facebook users from more than 30 countries using some 100 different domain names. It’s thought that over 1 million accounts have been targeted by the bot network.

To further circumvent Meta’s detection systems, the attackers used “residential proxies,” routing traffic through an intermediary based in the same country as the stolen Facebook account—normally a local cell phone—to make it appear as though the login was coming from a local IP address. “Anyone from anywhere in the world can then access these accounts and use them for whatever they want,” says Lundström.

A Facebook page for “Mac Quan IT” states that its owner is an engineer at the domain company Namecheap.com and includes a post from May 30, 2021, where it advertised likes and followers for sale: 10,000 yen ($70) for 350 likes and 20,000 yen for 1,000 followers. WIRED contacted the email attached to the Facebook page for comment but did not receive a response. Qurium further traced the domain name to an email registered to a person called Mien Trung Vinh.

“We emailed Facebook and thought, ‘Of course they’re going to do something about it,’” says Lundström. Qurium contacted Meta three times between March 31 and May 11 but did not receive a response. All the while, Bulatlat continued to receive attacks from the bot network. “These are criminals that are building fake services within the same platform that is actually supposed to stop them,” Lundström says. “This would be equivalent to selling drugs in the police station.”

David Agranovich, director of threat disruption at Meta, says that Meta urges people to “be cautious when they’re asked to share their social media credentials with websites they don’t know and trust.” Agranovich adds that Meta continues “to improve how we detect and enforce in response to attempts to change tactics by these adversarial phishing campaigns.” Facebook removed the Facebook page for Mac Quan IT after WIRED shared the details.

Ari Lightman, professor of digital media and marketing at Carnegie Mellon University, says tactics like those used by Mac Quan are “much more common than we know.” Lightman says the emphasis on personal connections—and the trust that comes with them—can make people more likely to click on dodgy links and inadvertently hand over private information.

Without more information and engagement from Meta, however, Lundström says it’s impossible to know how many accounts have been compromised and, more importantly, who ordered the targeted attacks against Bulatlat. And attribution really matters. Members of Bulatlat’s staff have been red-tagged, or marked as communists, by members of the Philippine government. It’s a label that has led to the extrajudicial murder and harassment of activists, journalists, and organizers, marking them as anti-state.

“So many of those who have been red-tagged were arrested, charged with double charges, and some were even killed,” says Len Olea, managing editor at Bulatlat. She and her staff regularly worry about their own security. “There are instances when some of us felt we were being followed,” says Olea. “But there was no way of confirming.”

It still isn’t clear who, or what, is behind the attack against Bulatlat. “These troll farms, these malicious bots are being guided and being funded by some entity,” says Lightman. “Who is that entity, and what is that entity’s purpose for utilizing these services?”