Want to give your blog a push or your “gun show” more views? Then why not buy 50,000 fake followers for $1,000! Click farms from down South or botnets such as Game over Zeus will be more than happy to supply them for you.

For this talk, a criminologist and a security researcher teamed up to hunt a large-scale botnet dubbed Linux/Moose 2.0 that conducts social media fraud. The hunt was fastidious since Linux/Moose 2.0 has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spread and operated. To do so, we performed an HTTPS man-in-the-middle attack to decrypt its traffic. This gave us an impressive amount of information on the botnet’s activities: the name of the fake accounts it uses, its modus operandi to create fake followings and the identification of its consumers, companies and individuals.

This talk will be of interest to a wide audience. First, it will present the elaborate methodology that was used to infect custom honeypots with Linux/Moose 2.0 and led to contributions to the open-source Cowrie Honeypot Project. Second, it will describe the technical details behind the man-in-the-middle attack conducted to decrypt the traffic. Analyses from the decrypted traffic will be presented: what’s the botnet’s sneaky modus operandi to create fake endorsement and what sly techniques it uses to avoid detection. The presentation will further increase its draw by placing the botnet’s activities within a larger-scope: the criminal market for social media fraud. With the data gathered from the decrypted traffic and open-source research, market dynamics behind social media fraud will be presented. Finally, we will cover how botnet operators, wholesalers and online merchants leverage each other to create a criminal market that easily supports money laundering.