The outpour of video-based scams on Facebook has probably set us all wondering how much effort scammers are forced to invest in their not so honorable exploits. Is there a scammer sweatshop packed with tiny slaves digging up the latest tricks in scam propagation techniques? Or does launching a scam wave simply mean pushing a big red button that reads SCAM AWAY? Knowing scammers’ propensity for easy gains, I took a closer look at some of the suspicious apps recently detected by Bitdefender Safego only to find that their wildfire pattern of propagation is mostly due to the use of a classic technique used in malware and spam dissemination: domain name adjustment. Can’t teach an old dog new tricks? With Facebook scams, these words of wisdom get a twist: it’s actually not worth trying to.
For those of you who are not very familiar with the structure of a domain name, here’s an illustration of the two main concepts I’ll be using in my demonstration: the domain and the parameter.
Now let’s see how the domain name adjustment technique applies to Facebook scams.
1. Same Domain + Random Strings
In this case, you can see that the scammers started from the fblike1.bla domain and generated a random string of precisely eight figures or letters in order to create each unique page (marked in red). The addition of the "watch" particle in the URL parameter is intended to lure users to access the page.
2. Slightly Varying Domain + Random Strings
Using just one domain won’t take you too far, and that’s because of a minor detail such as blacklisting. In this particular case, the scammers started from fblike and gradually added figures to it. The fact that we do not see "fblike2" or "fblike4" in here is just because these domains are on hold for the current attacks. However, be sure that they will be used in the near future.
Just as in the previously described set of examples, "watch" is followed by a randomly generated string of precisely eight figures or letters.
3. Completely Different Domains
This set of URLs illustrates how the scammers switch to generating completely different domains to serve their purpose. While they used key words such as "vid" (from video) and "lol" in order to increase the attractiveness of these domains, they kept the latter part of the URL the same, which undermines the propagation efforts by making detection easier.
4. Ultimate Randomization
These are more complex examples. Each URL contains 3 different strings that are computer generated.
1. a string of 9 or 10 letters or figures, which is the sub-domain (in green)
2. a string of 6 letters or figures, which is the actual domain (in blue)
3. a string of 5 or 6 figures, which is the URL parameter (in orange)
This variety of the domain name adjustment method that can be used to generate a huge number of URLs. If we were to make an estimate of the total number of possible domain combinations we’d end up with a staggering 2,176,782,336. (six times each letter and figure).
In a less sophisticated form of the Ultimate Randomization variety (illustrated in the 2 examples above), the parameter stays the same, which decreases the number of possible URLs.
So, what does all of this mean? URL blacklisting is becoming less and less efficient as scammers manage to generate a huge number of domains for each scam wave. It is precisely because of this that BitDefender Safego, for instance, uses heuristic scanning in order to provide more accurate detection.
This article is based on the technical information provided courtesy of Tudor Florescu, BitDefender Online Threats Analyst
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.