Hackers are recruiting the internet of things into a botnet. But this time they’re not trying to take down the internet. They’re just using them to make fake social media accounts – which they can then sell to online narcissists to make an easy buck.
Masarah-Cynthia Paquet-Clouston, a criminologist with the University of Montreal, and Olivier Bilodeau, a cybersecurity researcher at Montreal-based company GoSecure, have uncovered a large botnet that recruits everyday devices such as connected toasters, fridges or even your grandmother’s router to help commit social media fraud. They think that this stealthy, lucrative scheme is a glimpse into the future of low-level cybercrime.
Bilodeau had been tracking the Linux/Moose malware, which infects routers and other smart devices to turn them into a botnet, for a few years when it went dormant.
He suspected the malware was still out there and evolving, so he teamed up with Paquet-Clouston to lure the new variant into a trap. They created a honeypot – a virtual device disguised to look like a poorly secured router. When the malware tried to infect the device, they gained access to the botnet so they could study the scheme. The researchers presented their work at the Black Hat Europe security conference in London on Friday.
Botnets may be best known for spam, ad fraud or distributed denial of service (DDoS) attacks like the one that brought down many major websites last month. But the Linux/Moose botnet has a different job – directing traffic to social media sites.
The botnet operator uses the internet of things to cover their tracks so that social media accounts they create aren’t immediately flagged as bogus. “Usually when a social network sees thousands of users coming from a single IP address, it’s a red flag for fake accounts,” Paquet-Clouston explains.
Once the botnet has grandma’s router under its control, it uses the device as a proxy to make it look like its traffic is coming from that router’s “clean” IP address when it visits a social media site to make a new account.
Armed with their empire of fake accounts, the botnet operator– whose identity is not known – advertises followers for sale on platforms including Instagram and Twitter.
These zombie followers are available to buy in packs of 1000 (for $2.95) to 50,000 ($249.95). The accounts tend to be fairly basic, with zero posts and perhaps one follower. Their profile photos are often a plant or an animal, says Paquet-Clouston.
The behaviour of the Linux/Moose followers is just sophisticated enough to evade immediate detection by social networks’ fake account filters. “We watched these fake followers logging into their fake accounts, checking their fake inbox, looking at recipients of likes,” she says.
Who buys such followers? The researchers found that customers include shady online companies, a few bricks-and-mortar businesses such as restaurants in Kuwait and Bali and, most often, self-promoting individuals.
“We saw a lot of web developers, body builders and aspiring celebrities,” says Paquet-Clouston. “The kind of people who post pictures on their social media accounts of half-naked models drinking champagne on a yacht.”
Crunching the numbers, Paquet-Clouston and Bilodeau concluded that the botnet operator makes between $200,000 and $400,000 every month – and for minimal effort. “He’ll have to spend about a month constructing it, but then after that it’s just maintenance,” says Bilodeau. “And I guess customer service.”
Internet of things devices are often unsecured, making them an easier target than computers. And as the Linux/Moose botnet makes minimal demands of its digital slaves, its attack can easily go unnoticed.
“Grandma is never aware that her router has been hijacked, provided her internet connection is fast enough,” says Bilodeau. “It’s not slowing down her PC. And if she does something as simple as shutting down her router and restarting the malware is gone. But pretty soon it will come knocking at the same unsecured door again.”
The low-level and relatively victimless nature of the crime also helps the operators fly under the radar and avoid getting caught.
“They can just call themselves social marketers, and then they could even file taxes,” says Masarah. The botnet operators advertise their fake followers in the open and accept real credit cards. “No normal accountant would be aware that they’re doing anything illegal.”
But Evan Blair, co-founder of ZeroFox in Baltimore, Maryland, says this kind of attack still represents a real threat. “They’re a different kind of botnet – not a watered down one,” he says. “Fake followers can operate independently, take commands, promote and push malicious content. All these accounts accept remote commands from people who control them.”
The rapidly growing field of social media fraud, he says, includes everything from phishing schemes – where attackers trick people into giving up sensitive information – to identity theft. Bots can also add fake support to political messages, for instance spamming #Hillary or, more often, #Trump comments on social media.
“All the political campaigns buy fake followers,” says Blair. “A tonne of them.”
The seller of the Moose/Linux botnet, in keeping with their low-key, low-effort approach, didn’t offer a commenting option for his fake accounts – “but [they] could easily have done,” says Paquet-Clouston.