Threat Analysis: Marketplaces for verified social media accounts

Cyber-crime is a massive ecosystem and social media plays a key role in it. One way to stop them would be to disrupt their supply chain and this is what this post is about. Most cyber-crime groups utilize verified social media accounts to operate below the radar while executing their illegal activities. Namely, here are a few common reasons why cyber-criminals buy and use verified social media accounts.

Anonymously set up marketplaces on social media platforms like Facebook
Implement so-called “blackhat SEO” and sell services (advertisements, likes, reviews, comments, etc.)
Distribute or promote fake news
Avoid bot detection for common automated operations (spam, C2, phising, etc.)
Anonymously use the services offered by that social media platform

There was an excellent slide at HITB GSEC 2017 in the “Facebook – The Deep & Dark Web for Threat Actors in Asia*” presentation by Fadli B. Sidek explaining really nicely the benefits of the use of those Facebook verified accounts by cyber-criminals. Here is that slide.

The above are quite clear indicators that this area of cyber-crime will keep on growing. Some will be developing verified social media accounts and others will be buying them for uses like the ones described.

This underground market has been expanding so rapidly that many threat actors are developing and selling malicious tooling known as “Turboer”. This type of software is designed to exploit popular social media platforms in order to claim high-value account names, and assign them to a verified account. Typically, cyber-criminals subsequently sell those verified accounts for much higher prices.

The reason I made this post was my initial comment, if we would like to disrupt the supply chain of cyber-criminals this is an area we need to target. As more and more cyber-criminals utilize those verified social media accounts for malicious purposes, the demand increases, and the ecosystem keeps on growing.