1 May 2022

When the independent Philippine media site Bulatlat once again got DDoSed, no eyebrows were raised. But when we noticed that the attack traffic came from valid users in Vietnam, we started to smell a rat…

This report is the result of a six months long investigation that started to back trace a DDoS attack, but ended up tracing and uncover a large network of Vietnamese fraudsters using Facebook infrastructure and residential proxies to build and control large Facebook bots, that are used to monetize on Facebook services and carry out malicious activities.

The network of fraudsters and their malicious activities is complex. The initial part of this report aims to provide you a good overview of the “plot” and an understanding of the chain of actions. The second part of the report presents the actors involved, and the communication Qurium has had with each of them. Finally, we present our conclusions of the investigation.

PART 1: THE PLOT

Bulatlat is a Philippine independent media outlet, hosted with Qurium since 2019 when it suffered lengthy DDoS attacks orchestrated by the Duterte regime. Lead by Ronalyn Olea – red tagged and harassed by the government – the organization has since then been a frequent target of DDoS attacks, together with many other regime critical media and human rights organizations in the country.

Therefore, when Qurium in November 2021 detected yet another DDoS attack against Bulatlat, we were not surprised at all. However, when looking into the attack traffic and seeing that the vast majority came from Vietnam, we raised suspicion and launched an investigation.

The illustration below guides you through the attackers way (step 1- 6) from compromising a single Facebook account to launching DDoS attacks and build powerful Facebook bots for malicious activities.

STEP 1: Compromise Facebook account and share content

The attacker compromises a Facebook account and takes over the control. The compromised account is used to push links to porn or viral videos to tens of contacts/friends.

In the example, the compromised account is used to tag 61 friends with a viral video.

STEP 2: Use bouncing domain to avoid Facebook detection

Output from Facebook’s “Sharing Debugger”

To avoid that Facebook detects the phishing attack and blocks the page, the attacker uses an intermediate “bouncing domain“. The bouncing domain is used to redirect Facebook to a “clean” site, while regular users are directed to a phishing page.

When Facebook crawls the link provided by the compromised Facebook account, the bouncing domain provides Facebook a HTTP redirect to a site without phishing. In this example, dgpedezu[.]wiressid.es was used as bouncing domain to redirect Facebook to cliphot-24h.biz.

STEP 3: Redirect users to phishing pages

When the user clicks on the link from the compromised Facebook account, the bouncing domain redirects to an alternative domain with phishing. In our example, dgpedezu[.]wiressid.es is redirected to cliphot-24h[.] asia (phishing) instead of cliphot-24h[.]biz (clean).

The attacker has automates the attack, and during six months managed to redirect more than 500,000 users to the phishing sites.

Redirection if Facebook User Agent (facebookexternalhit/1.1) is detected.

By the end of March 2022, Qurium had identified around 100 domain names that were loaded by thousands of users via the Facebook In-App Browsers (IAB). The vast majority of the domains were registered by the domain registry providers Tenten /GMO (Vietnam) and hosted by Hawk Host Inc (Canada). One of the domains was hosted by provider Webico.

The actual phishing sites were mainly hosted in Singapore inside Leaseweb’s infrastructure and operated by Canadian hosting company Hawk Host Inc.

STEP 4: Phishing of Facebook credentials

The users are redirected to phishing pages that request Facebook credentials to visit the advertised content.

Day after day, thousands of Facebook accounts get stolen. The credentials (username, password, IP address, timestamp, country) are stored and sorted by country (ISO Code) inside of the phishing sites. Passwords of Facebook users from at least 30 different countries are harvested.

Phishing attack of Facebook credentials.

STEP 5: DDoSing Bulatlat on the fly!

Apart from carrying out phishing attacks, the malicious phishing webites also loads content from external domains, in our case the Philippine alternative media site Bulatlat.com. In this way, the users that visit the viral content, also takes part in a Distributed Denial of Service Attack (DDoS) against Bulatlat.

As a result of the attacker’s traffic redirection, Qurium has blocked a total of 60,000 IP addresses every day for months, more than 95% of the traffic coming from inside Vietnam. We have estimated that during the last six months, more than one million Facebook accounts have been targeted by the Phishing attack.

DNS traffic from Vietnamese providers to Bulatlat.com

STEP 6: Creating Facebook bot thanks to Residential Proxies

The compromised Facebook accounts originated from more than 30 countries. In order to access the accounts, and not raise any suspicion to Facebook or the account owner, the attacker needs to access them from the same country as its original user, and the same provider. A convenient way to change a user’s geographical location is to use a so called residential proxy – a service that provides the users with a public IP address connected to a physical location and a physical device, normally mobile phones. The owner of the mobile phone, has (in theory) given its informed consent to external actors to use its Internet connection for the purpose of website testing, ad verification and other legal activities that required a certain geolocation. However, public reports, research and white papers show that residential proxies are used in wide extent to carry out malicious online activities.

Hence, by using residential proxies the attacker can access the compromised accounts and instruct them to act in favor it its clients. This could be to simply give “Likes” to promote content, participate in campaigns, or act as followers.

Qurium has managed to link the attacker to the VNProxy (aka tranduykhuongservice), a Vietnamese reseller of residential proxy servers such as Oxylabs, SmartProxy, ShifterProxy and others. In the forum Make Money Online, the user signature of VNProxy includes the proxy service “Luminati” (now known as BrightData), which Qurium recently has investigated and concluded that they “enabled” long-lasting DDoS attacks against the Philippine human rights organization Karapatan, by allowing the attackers to hide behind their proxy network.

VNProxy advertising their services on the forum Make Money Online.

PART 2: THE ACTORS

Domain registrar

Tenten / GMO (Attacker Domain Registrar): close to 80 domains used for the phishing attacks were registered with Vietnamese domain reseller Tenten.

Qurium reached out to Japanese GMO Internet (the domain registrar used by Tenten) to report the misuse of the domains. GMO forwarded the request to its reseller Tenten first refused to handle the abuse case and asked us to contact the hosting provider instead. Tenten also forwarded the abuse report to the attacker. In the end, Tenten agreed to block the first batch of domains that we reported but they stopped responding to us when we asked them for blocking additional batches. During the investigation we discovered that Tenten was registering thousands of domains used for fraud.

Namecheap (Attacker Domain Registrar): 17 domains were registered with Namecheap. After sending our abuse report, Namecheap parked the domains.

Mạc Quân Inc (Mien Trung Vinh) (Attacker Domain Registration Proxy): The domain names used by the attacker to design the phishing page is associated with the email address vinhcoder2211@gmail.com (Mien Trung Vinh) that has registered hundreds of other domain names since early 2021. Many of these domains are used to run phishing and other types of scam campaigns. The domains are used to promote content in Facebook, steal credentials, steal credit cards and other types of malicious online activities.

Furthermore, Mạc Quân provides “carding services” including “BIN” codes (the first digits of credit cards) that can be used to fake credit card information. Such “Bins” often require that the fraudster uses the credit card in a specific geo location, which easily can be achieved by using Residential proxies. Finally, most of his sites are hosted with the Canadian hosting provider “Hawk Host Inc“.

By using historical WHOIS data, Qurium managed to link Vinhcoder2211@gmail.com as one of the multiple e-mail addresses used by “Mac Quan Inc” (macquaninc[.]com), that runs a Facebook page specializing in providing domain names and other digital infrastructure to fraudsters.

Qurium reached out to “Mạc Quân” that is behind the registration of the domains, but no response has been received.

View Post

Advertisement of Mạc Quân selling Facebook likes and followers.

Hosting provider

Hawk Hosting (Attacker Hosting Provider): Hawk hosting are hosting the vast majority of the phishing websites and provides the domain names of them. Hence, Hawk Hosting is a key figure in this investigation as they control the attack infrastructure in use.

Qurium reached out to Hawk Hosting on 28 February 2022 and reported 30 domains hosted in three of their servers. A response was received from Brian Farrell (Operations Manager) a few days later suggesting that we should block the traffic as a way to handle the issue. Two weeks later, and many mails back and forth, Hawk Hosting suspended the accounts without further explanations. Days after, the attacker started to host new domains in the very same servers at Hawk Hosting for the next two months. We mailed Hawk Hosting on 20 March and 20 April indicating that the attacker was still active in their network. No further actions have been taken by Hawk Hosting.

Residential proxies

Vnproxy (Attacker Residential Proxy Reseller): Vietnamese proxy reseller operated by Tran Duy Khuong /Ho Tan Minh . Our investigation reveals that the residential proxy services he resells are used for a wide range of frauds including carding, Facebook botnets or SEO campaigns. According to Vnproxy, they do no longer provide Luminati (Bright Data) proxies, but refused to explain why.

Oxylabs (Attacker Residential Proxy Provider): Vnproxy is using Oxylabs residential proxy services to carry out fraudulent activities.

Qurium has informed Oxylabs several times by email that their customer Vnproxy / Tran Duy Khuongservice is involved in fraudulent activities using their services. Oxylabs acknowledged the arrival of our information but did not confirm whether they could take action or not. Between 16 March and 4 April, Qurium provided Oxylabs with forensic information included in this report. Oxylabs did not provide any feedback about our findings.

Developer of attack website

Webico (Attacker Development Site): Webico is a web development service from Vietnamese Tino Host. Our investigation revealed that the phishing sites had been developed on a set of development servers and the domain baovn247[.]com was used to prepare the attack page. This development domain had been hosted inside Tino Host, a provider specialized in optimizing Search Engine Results Pages (SERP) and other marketing services by Webico.

Qurium reached out to Bình Trần <binh[@]tino.org> from Tino Host, requesting him to investigate the customer behind the baovn247[.]com account as this client developed the code for the attack. After several mails, Tino Hosting suspended the account without further explanations.

Infrastructure provider

Facebook/Meta: During March and April 2022, Qurium has shared our discoveries with Facebook and explained how we believe their social media accounts are being harvested. At the time of writing, Qurium has not received any response from Facebook and the malicious actors are still active in the platform.

PART 3: CONCLUSIONS

During more than six months, Qurium (via Bulatlat.com) has been receiving malicious traffic from close to one million Facebook users, where access to thousands of these accounts have been compromised. The compromised accounts are systematically abused to increase Likes and Followers on demand as part of a well established illegal industry inside Facebook.

Actors like Mac Quan Inc (domain and credit card reseller) and Tran Duy Khuong (vnproxy – oxylabs reseller) form part of vast landscape of actors that profit from cyber-criminal activities. Hosting providers like Hawk Hosting shamelessly profit from hosting such criminal activities and residential proxy providers like Oxylabs does not take action when evidence of fraud committed by their customers is provided to them.

Bulatlat.com has been flooded with malicious traffic for months as part of wide cyber criminal network that camps without limits inside of Facebook’s infrastructure. Stopping this attack has been a challenge to Qurium as we painfully have discovered that the actors involved are not interested in solving the problem, but rather keep benefiting from the illegal activities.

More than 150 mails have been exchanged with the actors involved and no forensics evidence presented in this report has been challenged by any of them.

Annex 1

List of domains as 1 April 2022, IP addresses, DNS servers used for phishing sites (Step 3).

24htin-nong[.]ddns.net,0.0.0.0,,nf1.no-ip.com.,
hotnong24h[.]ddns.net,0.0.0.0,,nf1.no-ip.com.,
hotnong[.]ddns.net,0.0.0.0,,nf1.no-ip.com.,
nong24gio[.]ddns.net,0.0.0.0,,nf1.no-ip.com.,
thoisu-24h[.]ddns.net,0.0.0.0,,nf1.no-ip.com.,
tin-24gio[.]ddns.net,0.0.0.0,,nf1.no-ip.com.,
tin24h[.]ddns.net,0.0.0.0,,nf1.no-ip.com.,
tinhot[.]ddns.net,0.0.0.0,,nf1.no-ip.com.,
tinnong24-7[.]ddns.net,0.0.0.0,,nf1.no-ip.com.,
tintrongngay[.]ddns.net,0.0.0.0,,nf1.no-ip.com.,
tintrongngay[.]ddns.net,0.0.0.0,,nf1.no-ip.com.,
vnnet24h-tintuc[.]ddns.net,0.0.0.0,,nf1.no-ip.com.,

clipbenhuquynhlop8[.]xyz,162[.]210.102.230,dns1.registrar-servers.com.,dns1.registrar-servers.com.,
phimhayorg1088[.]xyz,162[.]210.102.230,dns1.registrar-servers.com.,dns1.registrar-servers.com.,
phimmoiorg1088[.]xyz,162[.]210.102.230,dns1.registrar-servers.com.,dns1.registrar-servers.com.,
phimhot1080[.]xyz,162[.]210.102.231,dns1.registrar-servers.com.,dns1.registrar-servers.com.,
cliphot2021[.]xyz,162[.]210.102.232,dns2.freehostia.com.,dns1.freehostia.com.,
phimmoifullhd1088[.]xyz,162[.]210.102.232,dns1.registrar-servers.com.,dns1.registrar-servers.com.,
tintuc24hclipxxxhotnhat[.]xyz,162[.]210.102.232,dns1.registrar-servers.com.,dns1.registrar-servers.com.,
watchingvideohayne[.]shop,162[.]210.102.232,dns1.registrar-servers.com.,dns1.registrar-servers.com.,
watchstudentclip[.]xyz,162[.]210.102.232,dns1.registrar-servers.com.,dns1.registrar-servers.com.,
watchvideo2022[.]xyz,162[.]210.102.232,dns1.registrar-servers.com.,dns1.registrar-servers.com.,
phimmoifullhd1080[.]xyz,162[.]210.102.233,dns1.registrar-servers.com.,dns1.registrar-servers.com.,
tintucmoi24hhotnhat[.]xyz,162[.]210.102.233,dns1.registrar-servers.com.,dns1.registrar-servers.com.,

vietnamnet24hvn[.]biz,172[.]96.185[.]231,ns-a1.tenten.vn.,ns-a2.tenten.vn.,
vietnamnet24hvn[.]online,172[.]96.185[.]231,ns-a1.tenten.vn.,ns-a2.tenten.vn.,
vietnamnet24hvn[.]xyz,172[.]96.185[.]231,ns-a3.tenten.vn.,ns-a2.tenten.vn.,
vietnamnetvn[.]online,172[.]96.185[.]231,ns-a3.tenten.vn.,ns-a2.tenten.vn.,
vietnamnetvn[.]xyz,172[.]96.185[.]231,ns-a3.tenten.vn.,ns-a2.tenten.vn.,
vietnamnewvns[.]biz,172[.]96.185[.]231,ns-a2.tenten.vn.,ns-a2.tenten.vn.,
vietnamnewvns[.]fun,172[.]96.185[.]231,ns-a1.tenten.vn.,ns-a2.tenten.vn.,
vietnamnewvns[.]online,172[.]96.185[.]231,ns-a2.tenten.vn.,ns-a2.tenten.vn.,
vietnamnewvns[.]space,172[.]96.185[.]231,ns-a1.tenten.vn.,ns-a2.tenten.vn.,
vietnamnewvns[.]xyz,172[.]96.185[.]231,ns-a2.tenten.vn.,ns-a2.tenten.vn.,
tintucmoi24h[.]site,172[.]96.185[.]246,ns-a2.tenten.vn.,ns-a2.tenten.vn.,
newtintuc24hvns[.]biz,172[.]96.191.120,ns-a2.tenten.vn.,ns-a2.tenten.vn.,
vietnamnetvn[.]space,172[.]96.191.120,ns-a1.tenten.vn.,ns-a2.tenten.vn.,
bantin247-vn[.]pw,172[.]96.191.195,ns-a3.tenten.vn.,ns-a2.tenten.vn.,
bantin247-vn[.]site,172[.]96.191.195,ns-a2.tenten.vn.,ns-a2.tenten.vn.,
bantin247-vn[.]space,172[.]96.191.195,ns-a2.tenten.vn.,ns-a2.tenten.vn.,
bantin247-vn[.]website,172[.]96.191.195,ns-a3.tenten.vn.,ns-a2.tenten.vn.,
newtintuc24hvns[.]xyz,172[.]96.191.195,ns-a1.tenten.vn.,ns-a2.tenten.vn.,
thoisu247-vnnet[.]website,172[.]96.191.195,ns-a3.tenten.vn.,ns-a2.tenten.vn.,
hongbien24h-vn[.]fun,-,ns-a2.tenten.vn.,ns-a2.tenten.vn.,
thoisu247-vnnet[.]space,-,ns-a1.tenten.vn.,ns-a2.tenten.vn.,
tinhot247vn-news[.]xyz,-,ns-a1.tenten.vn.,ns-a2.tenten.vn.,
vn-tintuc24h[.]space,-,ns-a3.tenten.vn.,ns-a2.tenten.vn.,
vietnamnetvn[.]site,-,ns-a1.tenten.vn.,ns-a2.tenten.vn.,

clipemmatdaychoichi[.]atwebpages.com,185[.]176.43.100,,ns1.runhosting.com.,
videotonghop2021[.]atwebpages.com,185[.]176.43.102,,ns1.runhosting.com.,

DOMAINS USED FOR DEVELOPMENT 
videohayho[.]com,172[.]67.189.226,dexter.ns.cloudflare.com.,dexter.ns.cloudflare.com.,
baovn247[.]com,188[.]114.97.2,sergi.ns.cloudflare.com.,sergi.ns.cloudflare.com.,
random2022[.]tk,188[.]114.97.2,maxim.ns.cloudflare.com.,maxim.ns.cloudflare.com.,
baodanghayn[.]tk,198[.]252.98.51,ns2.arandomserver.com.,ns1.arandomserver.com.,

24gio-nong[.]ddns.net,-,,nf1.no-ip.com.,
24h-tintuc[.]ddns.net,-,,nf1.no-ip.com.,
baodientu24h[.]ddns.net,-,,nf1.no-ip.com.,
capnhat-24h[.]ddns.net,-,,nf1.no-ip.com.,
dua-tin24h[.]ddns.net,-,,nf1.no-ip.com.,
non24gio[.]ddns.net,-,,nf1.no-ip.com.,
tinmoi-24gio[.]ddns.net,-,,nf1.no-ip.com.,
tin-nhanh24h[.]ddns.net,-,,nf1.no-ip.com.,

video123vlxx[.]dynv6.net,-,,,

bantin247-vn[.]fun,-,,ns0.centralnic.net.,serverHold
bantin247-vn[.]online,-,,ns0.centralnic.net.,serverHold
baomoi247cliphotnhat[.]xyz,-,,ns0.centralnic.net.,clientHold
clipzzz[.]xyz,-,,ns0.centralnic.net.,clientHold
hotmovie2021[.]xyz,-,,ns0.centralnic.net.,clientHold
lohangstudent[.]xyz,-,,ns0.centralnic.net.,clientHold
newtintuc24hvns[.]fun,-,,ns0.centralnic.net.,serverHold
newtintuc24hvns[.]online,-,,ns0.centralnic.net.,serverHold
newtintuc24hvns[.]site,-,,ns0.centralnic.net.,serverHold
newtintuc24hvns[.]space,-,,ns0.centralnic.net.,serverHold
newtintuc24hvns[.]website,-,,ns0.centralnic.net.,serverHold
phimhotvlxx1080[.]xyz,-,,ns0.centralnic.net.,
phimmoihot247[.]xyz,-,,ns0.centralnic.net.,
tinhot247vn-news[.]pw,-,,ns0.centralnic.net.,serverHold
tintuc247hhotnhat[.]xyz,-,,ns0.centralnic.net.,clientHold
videovlxx123[.]xyz,-,,ns0.centralnic.net.,clientHold
vietnamnet24hvn[.]space,-,,ns0.centralnic.net.,serverHold
vietnamnet24hvn[.]website,-,,ns0.centralnic.net.,serverHold
vietnamnewvns[.]site,-,,ns0.centralnic.net.,serverHold
vietnamnewvns[.]website,-,,ns0.centralnic.net.,serverHold

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.