An disquisition of the infamous “ Is That You? ” video scam has led Cybernews researchers to a cybercriminal fort, from which trouble actors have been infecting the social media mammoth with thousands of vicious links every day. At least five suspects, allowed to be abiding in the Dominican Republic, have been linked.
Facebook has long been a happy stalking ground for online crooks, who take great pleasure in turning unwary members of the internet community into their prey.
It can start with commodity as apparently inoffensive as a communication from a “ friend ” – in fact a cybercriminal pretending to be similar – inviting you to click on a juicy link to the coming big share-fest, be it a music clip, funny videotape, or anything differently you might be interested in
Screenshot of the original Is That You? scam uncovered on Facebook.
he only thing that’s juicy about similar bogus links is the pack of personal details you're giving up by clicking on them, because it wo n’t be the latest hot clip you ’re sharing when you do – just your name, address, and passwords, which are also picked for profit by the trouble actor who has wisecracked you.
. Given its liability of being used as a platform for similar scams, Facebook has
been on the Cyber news radar for some time – in February last time, we exposed the “ Is That You? ” phishing
scam on its Messenger service that had been doing the rounds since at least 2017.
Since also, the exploration
platoon has remained watchful, keeping tabs on suspect conditioning on Facebook. lately, that alert was
awarded when we entered a tip- off from fellow cyber investigator Aidan Raney – who first reached out to us
after our original findings were published – that vicious links were being distributed to users.
Upon
farther examination, it turned out that thousands of these phishing links had been distributed, through a
devious network sprawling across the aft channels of the social media platform.
Left unbounded, this could
affect in hundreds of thousands of unwary social media druggies falling foul of the dodgy links – the “ Is
That You? ” fiddle was allowed to have hooked in around half a million victims before we uncovered it.
That
crusade was initiated by transferring the implicit mark a communication from one of their Facebook
connections. The communication contained what appears to be a videotape link with a textbook in German
suggesting that they're featured in the clip.
Mind map of a devious cyber criminal enterprise.
The game is a foot!
Hot for the chase, our cyber detectives began their inquiry by scrutinizing a malicious link sent to one victim, to learn how the scam had been put together.
I figured out what servers did what, where code was hosted, and how I could identify other servers,” said Raney. “I then used this information and urlscan.io [a website that allows one to scan URLs] to look for more phishing links matching the same characteristics as this one.
A thorough search of servers connected to the phishing links turned up a page that was sending credentials to a site called devsbrp.app. Further scrutiny revealed a banner thought to be attached to a control panel, with the text panelfps by braunnypr written on it.
Using these as keywords in a subsequent search led the research team straight to the panel and banner creator, whose email address and password combinations were also discovered – neatly turning the tables on cybercriminals used to stealing credentials of unsuspecting web users.
Inside a criminal stronghold
Using the threat actor’s own details, Cybernews accessed a website that turned out to be the command and control center for most of the phishing attacks linked to the gang, thought to number at least five threat actors but possibly many more. This provided our intrepid investigators with a trove of information on the crooks behind the Facebook phishing scam, including their likely country of residence – the Dominican Republic.
“We were able to export the user list for everybody registered to this panel,” said the Cyber news researcher. “Using the usernames on the list, we started uncovering the identities of as many people on the list as people, but there is still more work to be done.”
One of the suspects that Raney identified is likely the same threat actor that the Cyber news research team was able to name in February 2021. Back then, we sent the relevant information to the Cyber Emergency Response Team (CERT) in the Dominican Republic, as evidence suggested that the campaign was also launched from there.
At the time of writing, all relevant information has been handed over to the authorities pending further investigation.
-Prameet
