My Bitdefender
  • 0 Shopping Cart

Bitdefender Blog

Classic Domain Name Philosophy behind Facebook Scams

by Bitdefender Security Specialists, on 22 August 2011

Millions of Facebook scam hotspots can easily be created by means of a simple domain name adjustment technique traditionally used to spread malware and spam.

The outpour of video-based scams on Facebook has probably set us all wondering how much effort scammers are forced to invest in their not so honorable exploits. Is there a scammer sweatshop packed with tiny slaves digging up the latest tricks in scam propagation techniques? Or does launching a scam wave simply mean pushing a big red button that reads SCAM AWAY? Knowing scammers’ propensity for easy gains, I took a closer look at some of the suspicious apps recently detected by Bitdefender Safego only to find that their wildfire pattern of propagation is mostly  due to the use of  a classic technique  used  in malware and spam dissemination: domain name adjustment. Can’t teach an old dog new tricks? With Facebook scams, these words of wisdom get a twist: it’s actually not worth trying to.

For those of you who are not very familiar with the structure of a domain name, here’s an illustration of the two main concepts I’ll be using in my demonstration: the domain and the parameter.

Now let’s see how the domain name adjustment technique applies to Facebook scams.

1. Same Domain + Random Strings

http://fblike1.bla/?watch=mkjqp67E

http://fblike1.bla/?watch=tI8j4osB

http://fblike1.bla/?watch=shDcEp1r

http://fblike1.bla/?watch=xnF5slCz

http://fblike1.bla/?watch=6vddD91s

 

In this case, you can see that the scammers started from the fblike1.bla domain and generated a random string of precisely eight figures or letters in order to create each unique page (marked in red). The addition of the "watch" particle in the URL parameter is intended to lure users to access the page.

 

2. Slightly Varying Domain + Random Strings

 

http://fblike3.bla/?watch=sIzfC7Dx

http://fblike3.bla/?watch=q5FzyjDu

http://fblike10.bla/?watch=EqI3etxh

http://fblike10.bla/?watch=oefdghwm

 

Using just one domain won’t take you too far, and that’s because of a minor detail such as blacklisting. In this particular case, the scammers started from fblike and gradually added figures to it. The fact that we do not see "fblike2" or "fblike4" in here is just because these domains are on hold for the current attacks. However, be sure that they will be used in the near future.

Just as in the previously described set of examples, "watch" is followed by a randomly generated string of precisely eight figures or letters.

3. Completely Different Domains

http://www.gevid34.bla/index3.php

http://www.deuadfge.bla/index3.php

http://www.lozldager.bla/index3.php

http://www.vidzdelol.bla/index3.php

http://www.loldelol.bla/index3.php

http://www.videz24.bla/index3.php

 

This set of URLs illustrates how the scammers switch to generating completely different domains to serve their purpose. While they used key words such as "vid" (from video) and "lol" in order to increase the attractiveness of these domains, they kept the latter part of the URL the same, which undermines the propagation efforts by making detection easier.

 

4. Ultimate Randomization

http://is8roadfh.vo692n.bla/index.php?id=203755

http://9mf0roadfh.5bf26a.bla/index.php?id=63385

http://z0p8roadfh.tw5alg.bla/index.php?id=265250

http://ihw2roadfh.axw8zd.bla/index.php?id=273788

 

These are more complex examples. Each URL contains 3 different strings that are computer generated.

1. a string of 9 or 10 letters or figures, which is the sub-domain (in green)

2. a string of 6 letters or figures, which is the actual domain (in blue)

3. a string of 5 or 6 figures, which is the URL parameter (in orange)

This variety of the domain name adjustment method that can be used to generate a huge number of URLs. If we were to make an estimate of the total number of possible domain combinations we’d end up with a staggering 2,176,782,336. (six times each letter and figure).

 

http://z0p8roadfh.bpq20t.bla/index.php

http://proninadfh.5tdgh5.bla/index.php

 

In a less sophisticated form of the Ultimate Randomization variety (illustrated in the 2 examples above), the parameter stays the same, which decreases the number of possible URLs.

So, what does all of this mean? URL blacklisting is becoming less and less efficient as scammers manage to generate a huge number of domains for each scam wave. It is precisely because of this that BitDefender Safego, for instance, uses heuristic scanning in order to provide more accurate detection.
 

This article is based on the technical information provided courtesy of Tudor Florescu, BitDefender Online Threats Analyst 

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

Bitdefender Security Specialists

Bitdefender Labs

Daily "Did you know?"

On July 31, 2008, the Koobface computer worm started to target users of Facebook and MySpace; and new variants still constantly appear.

Authors

  • Bitdefender Security Specialists
    Bitdefender Labs
  • Catalin Cosoi
    Chief Security Researcher
  • Dan Lowe
    Dan Lowe, an OEM Senior Marketing Manager, has been working with Bitdefender for the last 3 ½ years. His familiarity with multiple security products from Firewalls to Antivirus has provided him a unique perspective on the security industry.
  • Ligia Adam
    Security Evangelist and Social Media Professional
  • Loredana Botezatu
    Loredana Botezatu – E-threat Analyst – Loredana has been writing about the IT world and e-security for well over five years. She has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.

Categories

HOTforSecurity