A Sprawling Bot Network Used Fake Porn to Fool Facebook



Swedish digital forensics nonprofit Qurium Media found that a massive distributed denial-of-service (DDoS) attack was targeting a nonprofit media outlet hosted by the nonprofit Bulatlat. The attack targeted Bulatlat, which had become the target of a sophisticated Vietnamese troll farm that had captured the credentials of thousands of Facebook accounts and turned them into malicious bots to target the credentials of more accounts. The attackers were automated to spam their networks with fake pornographic links, which sent users careering toward the website.




Vittoria Elliott Not All Bots Are Bad The Botnet That Fooled Facebook Now Reading I, Pro-Bot The Hole in Elon Musk’s Twitter Standoff The Search for Twitter’s Spam Squad They’re Hot.

Vittoria Elliottすべてのボットが悪いわけではないボットネットは、Facebookを読んでいることをだましました。

They’re Bots Can You Spot the Bot?


How Bots Corrupted Advertising The Trouble With Mental Health Chatbots Subscribe to WIRED In November 2021, Tord Lundström, the technical director at Swedish digital forensics nonprofit Qurium Media, noticed something strange.

ボットがメンタルヘルスチャットボットでトラブルを宣伝する方法は、2021年11月にWiredを購読する方法、スウェーデンのDigital Forensics Nonprofit Qurium MediaのテクニカルディレクターであるTordLundströmが奇妙なことに気づきました。

A massive distributed denial of service (DDoS) attack was targeting Bulatlat, an alternative Phillippine media outlet hosted by the nonprofit.


And it was coming from Facebook users.


Lundström and his team found that the attack was just the start of it.


Bulatlat had become the target of a sophisticated Vietnamese troll farm that had captured the credentials of thousands of Facebook accounts and turned them into malicious bots to target the credentials of yet more accounts to swell its numbers.


The volume of this attack was staggering even for Bulatlat, which has long been the target of censorship and major cyberattacks.


The team at Qurium was blocking up to 60,000 IP addresses a day from accessing Bulatlat’s website.


“We didn’t know where it was coming from, why people were going to these specific parts of the Bulatlat website,” says Lundström.


When they traced the attack, things got weirder still.


Lundström and his team found that requests for pages on Bulatlat’s website were actually coming from Facebook links disguised to look like links to pornography.


These scam links captured the credentials of the Facebook users and redirected the traffic to Bulatlat, essentially executing a phishing attack and a DDoS attack at the same time.


From there, the compromised accounts were automated to spam their networks with more of the same fake porn links, which in turn sent more and more users careering toward Bulatlat’s website.


Though Facebook parent company Meta has systems in place to detect phishing scams and problematic links, Qurium found that the attackers were using a “bouncing domain.” This meant that if Meta’s detection system were to test the domain, it would link out to a legitimate website, but if a regular user clicked on the link, they would be redirected to the phishing site.


After months of investigation, Qurium was able to identify a Vietnamese company called Mac Quan Inc.

数ヶ月の調査の後、QuriumはMac Quan Incと呼ばれるベトナムの会社を特定することができました。

that had registered some of the domain names for the phishing sites.


Qurium estimates that the Vietnamese group had captured the credentials of upwards of 500,000 Facebook users from more than 30 countries using some 100 different domain names.


It’s thought that over 1 million accounts have been targeted by the bot network.


To further circumvent Meta’s detection systems, the attackers used “residential proxies,” routing traffic through an intermediary based in the same country as the stolen Facebook account—normally a local cell phone—to make it appear as though the login was coming from a local IP address.


“Anyone from anywhere in the world can then access these accounts and use them for whatever they want,” says Lundström.


A Facebook page for “Mac Quan IT” states that its owner is an engineer at the domain company Namecheap.com and includes a post from May 30, 2021, where it advertised likes and followers for sale: 10,000 yen ($70) for 350 likes and 20,000 yen for 1,000 followers.

「Mac Quan It」のFacebookページでは、その所有者はドメイン会社Namecheap.comのエンジニアであり、2021年5月30日からの投稿が含まれていると述べています。1,000人のフォロワーに対して20,000円。

WIRED contacted the email attached to the Facebook page for comment but did not receive a response.


Qurium further traced the domain name to an email registered to a person called Mien Trung Vinh.

Quriumはさらに、Mien Trung Vinhと呼ばれる人に登録された電子メールにドメイン名をトレースしました。

Featured Video   Chris Stokel-Walker Eric Ravenscraft Dhruv Mehrotra Julian Chokkattu “We emailed Facebook and thought, ‘Of course they’re going to do something about it,’” says Lundström.


Qurium contacted Meta three times between March 31 and May 11 but did not receive a response.


All the while, Bulatlat continued to receive attacks from the bot network.


“These are criminals that are building fake services within the same platform that is actually supposed to stop them,” Lundström says.


“This would be equivalent to selling drugs in the police station.” David Agranovich, director of threat disruption at Meta, says that Meta urges people to “be cautious when they’re asked to share their social media credentials with websites they don’t know and trust.” Agranovich adds that Meta continues “to improve how we detect and enforce in response to attempts to change tactics by these adversarial phishing campaigns.” Facebook removed the Facebook page for Mac Quan IT after WIRED shared the details.

「これは、警察署で薬物の販売に相当します。」Metaの脅威破壊担当ディレクターであるDavid Agranovichは、メタは、人々に「ソーシャルメディアの資格を知らないウェブサイトと信頼していないウェブサイトと共有するように求められたときに慎重になるように促す」と述べています。Agranovichは、メタは「これらの敵対的フィッシングキャンペーンによって戦術を変える試みに応じて検出および実施する方法を改善し、強制するために」と付け加えています。Facebookは、Wiredが詳細を共有した後、Mac QuanのFacebookページを削除しました。

Ari Lightman, professor of digital media and marketing at Carnegie Mellon University, says tactics like those used by Mac Quan are “much more common than we know.” Lightman says the emphasis on personal connections—and the trust that comes with them—can make people more likely to click on dodgy links and inadvertently hand over private information.

カーネギーメロン大学のデジタルメディアおよびマーケティングの教授であるアリライトマンは、Mac Quanが使用するような戦術は「私たちが知っているよりもはるかに一般的」であると言います。Lightmanは、個人的なつながりとそれらに伴う信頼に重点を置くことで、人々が危険なリンクをクリックし、誤って個人情報を渡す可能性が高くなる可能性があると言います。

Without more information and engagement from Meta, however, Lundström says it’s impossible to know how many accounts have been compromised and, more importantly, who ordered the targeted attacks against Bulatlat.


And attribution really matters.


Members of Bulatlat’s staff have been red-tagged, or marked as communists, by members of the Philippine government.


It’s a label that has led to the extrajudicial murder and harassment of activists, journalists, and organizers, marking them as anti-state.


“So many of those who have been red-tagged were arrested, charged with double charges, and some were even killed,” says Len Olea, managing editor at Bulatlat.

「レッドタグを付けられた人の多くは逮捕され、二重の容疑で起訴され、一部は殺されました」と、Bulatlatの編集者であるLen Olea氏は言います。

She and her staff regularly worry about their own security.


“There are instances when some of us felt we were being followed,” says Olea.


“But there was no way of confirming.” It still isn’t clear who, or what, is behind the attack against Bulatlat.


“These troll farms, these malicious bots are being guided and being funded by some entity,” says Lightman.