The internet is full of fakery—so much so that RiskIQ has several categories for websites that all begin with the word “fake": fake tech support, fake software, fake rewards, etc. These types of sites are lucrative to operate and have become extremely common, barraging users with pages masquerading as something they are not. But other than being disingenuous, these pages usually have something else in common: their primary tactic is social engineering, i.e., using basic human drives and emotions to trick a percentage of users into taking their desired action, often a click, so they can divert and potentially monetize the traffic. One prevalent and particularly nefarious example of this behavior is the fingta fake online dating campaign, which is driving a mind-boggling amount of traffic.
To state the obvious, fake online dating is not a new concept. Emotions solicited by love, companionship, and romance are powerful tools for cyber threat actors hoping to get people to forgo their better judgment and engage in risky online behaviors. The instance shown above is not particularly novel; it uses sexualized images along with blunt language to convince the user to click the link that redirects to another page, typical of the myriad fake dating pages RiskIQ identifies every day. However, the fingta fake dating campaign sticks out because of the sheer volume of traffic it’s seeing.
Alexa currently ranks fingta.com, the fake dating domain shown above, at 4,163 globally. The graph provided shows its meteoric rise from non-existence some months ago to this extremely high ranking, which it has steadily maintained since April. So what sets the traffic flow to this site apart from the millions like it?
Using RiskIQ Community Edition to look up more granular information about the domain shows that it first started seeing traffic on February 2nd of this year and has been on a single IP address (220.127.116.11) for the entirety of its existence. The cyber threat actors behind this simple fake dating page garnered and maintained such a high volume of traffic in such a short amount of time via a couple of tactics.
One method, which is described in this blog post, is an adware campaign pushing browsers to fingta.com, inserting hyperlinks, injecting ad banners, and other behaviors designed to generate revenue by driving traffic to the provocative content at fingta.com.
RiskIQ data, which our virtual user technology collects, shows this traffic from a different angle to uncover the second method. These crawlers launch from a constantly evolving global web proxy network with more than 520 egress points in more than 40 countries and experience websites as human users do. Unlike the victims of adware described in the blog above, our virtual users experience sites without toolbars or adware installed. Nevertheless, they were sent to Fingta 5.4M times in the past five months. How? Traffic redirection.
Let’s break down this technique by looking at a traffic sequence leading to a fingta page:
The sequence above shows a site (watchseries.do) that provides access to illegally streamed copyrighted content. It also provides an impressive amount of scammy pop-ups and redirections through various ad networks. By redirecting traffic from these other popular sites, these actors hope users will be hooked in by the fake dating content on fingta.com to generate clicks and potentially redirect them elsewhere.
In this instance, our crawler redirected through 'predictivadnetwork.com' to 'jebtrack.com' which in turn redirected to 'rupair1.fingta.com.' Looking through other crawls that include this domain, we see a variety of ad network redirectors—but in every instance, jebtrack.com shows up just before fingta.
Let’s take a closer look at jebtrack.com. This domain uses the same IP address as fingta.com and was first seen on the same day fingta.com was. Based on these commonalities and their close association in crawl sequences, it’s likely these two domains are related and under the control of the same person or group.
WHOIS data for fingta is obfuscated, but jebtrack provides the name, email, address, and phone number, which can be used for further investigation into other possibly related or similar domains. The RiskIQ Research Team gathered all this information along with any related subdomains, IPs, etc. into a RiskIQ PassiveTotal Public Project that can be viewed here:
Fake dating content like finga is one of the most potent ways to drive clicks and redirect traffic, a valuable commodity on the internet—especially when leveraged with fraudulent techniques via the digital advertising ecosystem. We will continue to monitor the fingta domain campaign and provide additional insights as we find them in future posts. Be sure to register for RiskIQ Community Edition to view this project and pivot on the artifacts therein.