Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
The internet is full of fakery—so much so that RiskIQ has several categories for websites that all begin with the word “fake”: fake tech support, fake software, fake rewards, etc. These types of sites are lucrative to operate and have become extremely common, barraging users with pages masquerading as something they are not. But other than being disingenuous, these pages usually have something else in common: their primary tactic is social engineering, i.e., using basic human drives and emotions to trick a percentage of users into taking their desired action, often a click, so they can divert and potentially monetize the traffic. One prevalent and particularly nefarious example of this behavior is the fingta fake online dating campaign, which is driving a mind-boggling amount of traffic.
Fig-1 Fake dating page hosted on the fingta.com domain
To state the obvious, fake online dating is not a new concept. Emotions solicited by love, companionship, and romance are powerful tools for cyber threat actors hoping to get people to forgo their better judgment and engage in risky online behaviors. The instance shown above is not particularly novel; it uses sexualized images along with blunt language to convince the user to click the link that redirects to another page, typical of the myriad fake dating pages RiskIQ identifies every day. However, the fingta fake dating campaign sticks out because of the sheer volume of traffic it’s seeing.
Figure-2 Alexa ranking showing the fingta domain is ranked 4,163 globally
Alexa currently ranks fingta.com, the fake dating domain shown above, at 4,163 globally. The graph provided shows its meteoric rise from non-existence some months ago to this extremely high ranking, which it has steadily maintained since April. So what sets the traffic flow to this site apart from the millions like it?
Fig-3 RiskIQ Community Edition data on the fingta domain
Using RiskIQ Community Edition to look up more granular information about the domain shows that it first started seeing traffic on February 2nd of this year and has been on a single IP address (188.8.131.52) for the entirety of its existence. The cyber threat actors behind this simple fake dating page garnered and maintained such a high volume of traffic in such a short amount of time via a couple of tactics.
One method, which is described in this blog post, is an adware campaign pushing browsers to fingta.com, inserting hyperlinks, injecting ad banners, and other behaviors designed to generate revenue by driving traffic to the provocative content at fingta.com.
RiskIQ data, which our virtual user technology collects, shows this traffic from a different angle to uncover the second method. These crawlers launch from a constantly evolving global web proxy network with more than 520 egress points in more than 40 countries and experience websites as human users do. Unlike the victims of adware described in the blog above, our virtual users experience sites without toolbars or adware installed. Nevertheless, they were sent to Fingta 5.4M times in the past five months. How? Traffic redirection.
Let’s break down this technique by looking at a traffic sequence leading to a fingta page:
Fig-4 Sequence leading to a fingta fake dating page
The sequence above shows a site (watchseries.do) that provides access to illegally streamed copyrighted content. It also provides an impressive amount of scammy pop-ups and redirections through various ad networks. By redirecting traffic from these other popular sites, these actors hope users will be hooked in by the fake dating content on fingta.com to generate clicks and potentially redirect them elsewhere.
In this instance, our crawler redirected through ‘predictivadnetwork.com‘ to ‘jebtrack.com‘ which in turn redirected to ‘rupair1.fingta.com.’ Looking through other crawls that include this domain, we see a variety of ad network redirectors—but in every instance, jebtrack.com shows up just before fingta.
Fig-5 RiskIQ Community Edition data on jebtrack.com
Let’s take a closer look at jebtrack.com. This domain uses the same IP address as fingta.com and was first seen on the same day fingta.com was. Based on these commonalities and their close association in crawl sequences, it’s likely these two domains are related and under the control of the same person or group.
WHOIS data for fingta is obfuscated, but jebtrack provides the name, email, address, and phone number, which can be used for further investigation into other possibly related or similar domains. The RiskIQ Research Team gathered all this information along with any related subdomains, IPs, etc. into a RiskIQ PassiveTotal Public Project that can be viewed here:
Fake dating content like finga is one of the most potent ways to drive clicks and redirect traffic, a valuable commodity on the internet—especially when leveraged with fraudulent techniques via the digital advertising ecosystem. We will continue to monitor the fingta domain campaign and provide additional insights as we find them in future posts. Be sure to register for RiskIQ Community Edition to view this project and pivot on the artifacts therein.
Tomorrow: RiskIQ's @joshuamayfield sits down with @forrester's @josh_zelonis to discuss what goes into a next-gen vulnerability management program, and why discovering unknowns is where it all starts: https://t.co/kCxgPVJ1sD
What are the keys to a Modern Vulnerability Risk Management Program? On Tuesday, @joshuamayfield and @josh_zelonis will examine why defending your organization's digital attack surface starts with being able to discover unknowns and investigate threats: https://t.co/kCxgPW0Ckb
IGNITE is just 10 days away! RSVP now to kick off #RSAC and party with Flashpoint, @elastic, @ThreatQuotient, @Siemplify, and @RiskIQ: https://t.co/hnlh0UhHEo
The largest UK #GDPR fine was £183m in 2018 as B.A. booking website was hit by Magecart ccard skimming code. @RiskIQ worked with https://t.co/E3JRdvCMWA and Shadowserver to take down the malicious domains. https://t.co/iiH69vbKFK