Cybercriminals Leveraging Facebook Report

Pierluigi Paganini July 14, 2013

Cybercriminals Leveraging Facebook is the title of  a research that provided evidence that criminal organizations are exploiting Facebook for illegal activities.

Cybercriminals Leveraging Facebook, this is the title of an interesting research conducted by Eric Feinberg, Ian Malloy and Frank Angiolelli that provided evidence of the existence of highly organized criminal networks that are exploiting the popular social network for illegal activities.
Malicious actors and cybercriminals are now leveraging social media as a mass distribution system for advertising counterfeit consumer goods through Facebook and infecting computers to become part of a botnet, or ring of malicious acting computers operating through a remote mechanism.
This activity is trafficking in goods using counterfeit trademarks, leveraging insecure transport for Personally Identifiable Information and utilizing dubious payment processors. The activity is growing to include money mule recruitment and “loan origination” as well as operating under a Chinese and Russian Business Network banner.
The scope of the fraud described in the “Cybercriminals Leveraging Facebook” report are various, following a list of most common
  • Counterfeit merchandise
  • Payday Loans
  • Facebook sites with redirectors
  • Suspected Money Mule Recruitment
  • Counterfeit NFL Jerseys
  • The installation of remote control capabilities, i.e. a zombie computer or ‘bot’
The “Cybercriminals Leveraging Facebook” study laid out evidence that this “system” appears highly organized including creation, masking and distribution system utilizing a definable pattern of replication. These actors are exploiting weaknesses in Facebook API to expose mass numbers of unsuspecting citizens to counterfeit merchandise advertisements per fake profiles.  The mechanism by which the malicious actors are intruding and avoiding detection is through the use of Facebook’s graph API.
In addition, these actors are creating advertisements which are using Facebook’s ad distribution to present their sites across thousands of groups, more specifically fan pages related to professional sports.
The “Cybercriminals Leveraging Facebook” paper documented the organized and distributed network these actors are using, the clearly identifiable patterns and the need for a detection mechanism, following main techniques discussed in the analysis:
Fake User Profiles – These malicious actors are creating Facebook profiles using fictitious names and a methodology following a distinctive pattern. The actors are creating profiles using the most basic settings and mass joining public groups. The number of groups joined ranges from approximately 100 to 400+ per profile and in virtually all cases, the user has never posted anything on their timeline. Using these groups, the “advertisement” posts reach upwards of 300,000 people per fake profile
Cybercriminals Leveraging Facebook fake profiles


The Posts for Counterfeit Merchandise – Once the account is created, it joins hundreds of groups and posts ads. The pattern for the posts these fake profiles are proliferating consist primarily of a sales pitch, a website link containing various domains primarily made up from .tk websites without canonical references followed by a picture of the supposed merchandise to be sold.

Using the Russian Business Network as an Intermediary – These actors are using Russian Business Network IP addresses as intermediaries to host the .tk redirectors. This technique is being used as an evasion tactic to prevent easy discovery and blocking of the offending counterfeit merchandise website.

Cybercriminals Leveraging Facebook RBN

Mass Redirection Using .tk Websites – The actors create multiple redirectors hosted on the same IP address over time

The researchers proved that cybercriminals adopted method of replication being used here is replicated over multiple domains, with multiple redirectors. They also identified the pattern followed by the counterfeit merchandise websites despite they use to rotate domain, hosting, registrar and geo-location, distinct patterns exist across all the websites being distributed centered primarily against the actual content.

FoeI suggest the reading of the interesting white paper ….

Pierluigi Paganini

(Security Affairs – Facebook, Cybercrime, Cybercriminals Leveraging Facebook Report )

you might also like

leave a comment