Behind the Scenes: The Industry of Social Media Manipulation Driven by Malware

The presentation discusses the investigation of a botnet called Linux Moose and its connection to the automation software used for managing fake accounts on social media platforms.

• The investigation involved accessing raw traffic and analyzing it to identify infected hosts, HTTP traffic, CNC traffic, and publicly available seller markets.
• The concept of whitelisted IPs within the infrastructure of Linux Moose was discovered, which could potentially be used for a reseller model of fake followers and likes on social media platforms.
• Traffic analysis was used to correlate the whitelisted IPs with fake account management on social media platforms.
• An ecosystem of automation software for managing fake accounts on social media platforms was discovered, and the investigation focused on identifying the specific software used by Linux Moose.
• The use of thick clients with grid layouts and proxy support was found to be common among the various vendors of automation software.

The investigation found that each whitelisted IP address was related to a list of fake accounts, and that each of these IPs was hosted on Windows servers with Remote Desktop Protocol actively used. This led to the discovery of an ecosystem of automation software for managing fake accounts on social media platforms, which offered a grid layout for managing thousands of fake accounts and ordering them to do specific actions.

This talk is the 'grand finale' of a four-year long investigation that started with analyzing an IoT botnet, and led to discovering the structured industry that exists behind social media manipulation (SMM). SMM is the deliberate act of paying for popularity with followers or activity on social media.Adopting a bottom-up approach, the thorough methodology undertook to study the botnet will be presented: from building honeypots, infecting them with malware and conducting a man-in-the-middle-attack on the honeypots' traffic to access the decrypted HTTPS content between the C&Cs and social networks. Then, the various investigative paths taken to analyze this large data set, leading to the discovery of many industry actors involved in the supply chain of social media manipulation, will be presented. These investigative paths include traffic analysis, various OSINT approaches to reveal and understand actors, reverse-engineering the software that automates the use and creation of fake accounts, forum investigations, and qualitative profiling. All actors involved in the industry will be mapped, from malware authors, to reseller panels, and customers of fake popularity. The potential profitability of the industry will then be discussed, as well as the revenue division in the supply chain, demonstrating that the ones making the highest revenue per fake follower sold are not the malware authors, but rather those at the end of the chain. Different approaches to disrupt social media manipulation will also be discussed, giving practical insights for cybersecurity professionals, law enforcement agencies, and policy makers willing to curb this illicit industry.