In November 2021, Tord Lundström, the technical director at Swedish digital forensics nonprofit Qurium Media, noticed something strange. A massive distributed denial of service (DDoS) attack was targeting Bulatlat, an alternative Phillippine media outlet hosted by the nonprofit. And it was coming from Facebook users.
Lundström and his team found that the attack was just the start of it. Bulatlat had become the target of a sophisticated Vietnamese troll farm that had captured the credentials of thousands of Facebook accounts and turned them into malicious bots to target the credentials of yet more accounts to swell its numbers.
The volume of this attack was staggering even for Bulatlat, which has long been the target of censorship and major cyberattacks. The team at Qurium was blocking up to 60,000 IP addresses a day from accessing Bulatlat’s website. “We didn’t know where it was coming from, why people were going to these specific parts of the Bulatlat website,” says Lundström.
When they traced the attack, things got weirder still. Lundström and his team found that requests for pages on Bulatlat’s website were actually coming from Facebook links disguised to look like links to pornography. These scam links captured the credentials of the Facebook users and redirected the traffic to Bulatlat, essentially executing a phishing attack and a DDoS attack at the same time. From there, the compromised accounts were automated to spam their networks with more of the same fake porn links, which in turn sent more and more users careering toward Bulatlat’s website.
Though Facebook parent company Meta has systems in place to detect phishing scams and problematic links, Qurium found that the attackers were using a “bouncing domain.” This meant that if Meta’s detection system were to test the domain, it would link out to a legitimate website, but if a regular user clicked on the link, they would be redirected to the phishing site.
After months of investigation, Qurium was able to identify a Vietnamese company called Mac Quan Inc. that had registered some of the domain names for the phishing sites. Qurium estimates that the Vietnamese group had captured the credentials of upwards of 500,000 Facebook users from more than 30 countries using some 100 different domain names. It’s thought that over 1 million accounts have been targeted by the bot network.
To further circumvent Meta’s detection systems, the attackers used “residential proxies,” routing traffic through an intermediary based in the same country as the stolen Facebook account—normally a local cell phone—to make it appear as though the login was coming from a local IP address. “Anyone from anywhere in the world can then access these accounts and use them for whatever they want,” says Lundström.
A Facebook page for “Mac Quan IT” states that its owner is an engineer at the domain company Namecheap.com and includes a post from May 30, 2021, where it advertised likes and followers for sale: 10,000 yen ($70) for 350 likes and 20,000 yen for 1,000 followers. Startup contacted the email attached to the Facebook page for comment but did not receive a response. Qurium further traced the domain name to an email registered to a person called Mien Trung Vinh.