Exposed: the threat actors who are poisoning Facebook

An investigation of the infamous “Is That You?” video scam has led Cybernews researchers to a cybercriminal stronghold, from which threat actors have been infecting the social media giant with thousands of malicious links every day. At least five suspects, thought to be residing in the Dominican Republic, have been identified.

Facebook has long been a happy hunting ground for online crooks, who take great pleasure in turning unwary members of the internet community into their prey.

It can start with something as seemingly innocuous as a message from a “friend” – in fact a cybercriminal pretending to be such – inviting you to click on a juicy link to the next big share-fest, be it a music clip, funny video, or anything else you might be interested in.

Is that you scam infographic
Screenshot of the original Is That You? scam uncovered on Facebook.

The only thing that’s juicy about such bogus links is the bundle of personal details you are giving up by clicking on them, because it won’t be the latest hot clip you’re sharing when you do – just your name, address, and passwords, which are then harvested for profit by the threat actor who has fooled you.

Given its likelihood of being used as a platform for such scams, Facebook has been on the Cybernews radar for some time – in February last year, we exposed the “Is That You?” phishing scam on its Messenger service that had been doing the rounds since at least 2017.

Since then, the research team has remained vigilant, keeping tabs on suspect activities on Facebook. Recently, that vigilance was rewarded when we received a tip-off from fellow cyber investigator Aidan Raney – who first reached out to us after our original findings were published – that malicious links were being distributed to users.

Upon further examination, it turned out that thousands of these phishing links had been distributed, through a devious network sprawling across the back channels of the social media platform.

Left unchecked, this could result in hundreds of thousands of unwary social media users falling foul of the dodgy links – the “Is That You?” scam was thought to have hooked in around half a million victims before we uncovered it.

That campaign was initiated by sending the potential mark a message from one of their Facebook contacts. The message contained what appears to be a video link with a text in German suggesting that they are featured in the clip.

Is that you infograph
Mind map of a devious cybercriminal enterprise.

The game is afoot!

Hot for the chase, our cyber detectives began their inquiry by scrutinizing a malicious link sent to one victim, to learn how the scam had been put together.

“I figured out what servers did what, where code was hosted, and how I could identify other servers,” said Raney. “I then used this information and [a website that allows one to scan URLs] to look for more phishing links matching the same characteristics as this one.”

A thorough search of servers connected to the phishing links turned up a page that was sending credentials to a site called Further scrutiny revealed a banner thought to be attached to a control panel, with the text "panelfps by braunnypr" written on it.

Using these as keywords in a subsequent search led the research team straight to the panel and banner creator, whose email address and password combinations were also discovered – neatly turning the tables on cybercriminals used to stealing credentials of unsuspecting web users.

Inside a criminal stronghold

Using the threat actor’s own details, Cybernews accessed a website that turned out to be the command and control center for most of the phishing attacks linked to the gang, thought to number at least five threat actors but possibly many more. This provided our intrepid investigators with a trove of information on the crooks behind the Facebook phishing scam, including their likely country of residence – the Dominican Republic.

“We were able to export the user list for everybody registered to this panel,” said the Cybernews researcher. “Using the usernames on the list, we started uncovering the identities of as many people on the list as people, but there is still more work to be done.”

One of the suspects that Raney identified is likely the same threat actor that the Cybernews research team was able to name in February 2021. Back then, we sent the relevant information to the Cyber Emergency Response Team (CERT) in the Dominican Republic, as evidence suggested that the campaign was also launched from there.

At the time of writing, all relevant information has been handed over to the authorities pending further investigation.

What you can do to protect yourself

  • Use unique and complex passwords for all of your online accounts. Password managers help you easily create strong passwords and notify you of password reuse.
  • Use multi-factor authentication where possible.
  • Beware of any messages sent to you, even from your contacts. Phishing attacks usually employ some type of social engineering to lure users into clicking on malicious links or downloading infected files.
  • Be mindful of any suspicious activity on your Facebook or other accounts.