The Forrester Wave™: Digital Risk Monitoring, Q3 2016 named RiskIQ a leader in Digital Risk Monitoring, and gave RiskIQ top ranking for Current Offering & Data Coverage.
Download the Report
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
Ovum Report—On The Radar: RiskIQ provides external digital threat defense—learn how RiskIQ helps businesses see, manage, and mitigate web, social, and mobile threats.
Get the Analyst Report
August 9, 2017, Jordan Herman
The internet is full of fakery—so much so that RiskIQ has several categories for websites that all begin with the word “fake”: fake tech support, fake software, fake rewards, etc. These types of sites are lucrative to operate and have become extremely common, barraging users with pages masquerading as something they are not. But other than being disingenuous, these pages usually have something else in common: their primary tactic is social engineering, i.e., using basic human drives and emotions to trick a percentage of users into taking their desired action, often a click, so they can divert and potentially monetize the traffic. One prevalent and particularly nefarious example of this behavior is the fingta fake online dating campaign, which is driving a mind-boggling amount of traffic.
Fig-1 Fake dating page hosted on the fingta.com domain
To state the obvious, fake online dating is not a new concept. Emotions solicited by love, companionship, and romance are powerful tools for threat actors hoping to get people to forgo their better judgment and engage in risky online behaviors. The instance shown above is not particularly novel; it uses sexualized images along with blunt language to convince the user to click the link that redirects to another page, typical of the myriad fake dating pages RiskIQ identifies every day. However, the fingta fake dating campaign sticks out because of the sheer volume of traffic it’s seeing.
Figure-2 Alexa ranking showing the fingta domain is ranked 4,163 globally
Alexa currently ranks fingta.com, the fake dating domain shown above, at 4,163 globally. The graph provided shows its meteoric rise from non-existence some months ago to this extremely high ranking, which it has steadily maintained since April. So what sets the traffic flow to this site apart from the millions like it?
Fig-3 RiskIQ Community Edition data on the fingta domain
Using RiskIQ Community Edition to look up more granular information about the domain shows that it first started seeing traffic on February 2nd of this year and has been on a single IP address (220.127.116.11) for the entirety of its existence. The threat actors behind this simple fake dating page garnered and maintained such a high volume of traffic in such a short amount of time via a couple of tactics.
One method, which is described in this blog post, is an adware campaign pushing browsers to fingta.com, inserting hyperlinks, injecting ad banners, and other behaviors designed to generate revenue by driving traffic to the provocative content at fingta.com.
RiskIQ data, which our virtual user technology collects, shows this traffic from a different angle to uncover the second method. These crawlers launch from a constantly evolving global web proxy network with more than 520 egress points in more than 40 countries and experience websites as human users do. Unlike the victims of adware described in the blog above, our virtual users experience sites without toolbars or adware installed. Nevertheless, they were sent to Fingta 5.4M times in the past five months. How? Traffic redirection.
Let’s break down this technique by looking at a traffic sequence leading to a fingta page:
Fig-4 Sequence leading to a fingta fake dating page
The sequence above shows a site (watchseries.do) that provides access to illegally streamed copyrighted content. It also provides an impressive amount of scammy pop-ups and redirections through various ad networks. By redirecting traffic from these other popular sites, these actors hope users will be hooked in by the fake dating content on fingta.com to generate clicks and potentially redirect them elsewhere.
In this instance, our crawler redirected through ‘predictivadnetwork.com‘ to ‘jebtrack.com‘ which in turn redirected to ‘rupair1.fingta.com.’ Looking through other crawls that include this domain, we see a variety of ad network redirectors—but in every instance, jebtrack.com shows up just before fingta.
Fig-5 RiskIQ Community Edition data on jebtrack.com
Let’s take a closer look at jebtrack.com. This domain uses the same IP address as fingta.com and was first seen on the same day fingta.com was. Based on these commonalities and their close association in crawl sequences, it’s likely these two domains are related and under the control of the same person or group.
WHOIS data for fingta is obfuscated, but jebtrack provides the name, email, address, and phone number, which can be used for further investigation into other possibly related or similar domains. The RiskIQ Research Team gathered all this information along with any related subdomains, IPs, etc. into a RiskIQ PassiveTotal Public Project that can be viewed here:
Fake dating content like finga is one of the most potent ways to drive clicks and redirect traffic, a valuable commodity on the internet—especially when leveraged with fraudulent techniques via the digital advertising ecosystem. We will continue to monitor the fingta domain campaign and provide additional insights as we find them in future posts. Be sure to register for RiskIQ Community Edition to view this project and pivot on the artifacts therein.