Instagram account which apparently has fake followers
Aspiring actresses, models, bloggers, singers and TV presenters are paying for fake likes and followers to bolster their presence on social media, but the service is performed by a botnet of hacked IoT devices screenshot by GoSecure

Security researchers have discovered that cybercriminals are using large-scale botnets containing hacked Internet of Things (IoT) devices to power legitimate businesses offering fake likes and follows on social media to wannabe celebrities.

Canadian cybersecurity firm GoSecure has presented research at Black Hat Europe 2016 showing that thousands of TV presenters, aspiring actresses, singers, models and bloggers all over the world are happy to pay for businesses using IoT-enabled botnets to provide fake endorsements, to say nothing of the countless small businesses who want to enhance their brand identity online.

The going rate is $112.67 (£90) for 10,000 new Instagram followers and $158.99 for 10,000 likes on the service. The researchers found that each bot in the botnet performs about 1,186 follows on Instagram per month, meaning that each bot can potentially generate $13.05 a month. Put all the bots together and the entire botnet could potentially generate almost $700,000 in revenue per month.

A botnet that's just trying to provide a service

Among other things, GoSecure specialises in looking at IoT malware and reverse-engineering it to see what it is doing and where web traffic is being directed using honeypots and man-in-the-middle attacks, in order to figure out hackers' motives.

You might be familiar with the infamous Mirai and Bashlite botnets, which have been seen trying to DDoS nation states like Liberia, attempting to take down the internet by DDoS-ing popular websites or taking down web hosting providers, as well as going after people for political or personal reasons, for example the epic record-breaking 665Gbps DDoS attack against security journalist Brian Krebs in September.

But much to GoSecure's surprise, it recently found a botnet of zombie IoT devices not doing anything truly horrible – the Linux/Moose botnet is simply being used by legitimate businesses to send thousands of requests to various social networks to start new accounts and follow users, which is known as social media fraud.

Fake likes and follows making cybercriminals lots of money

"To avoid being flagged as spam by the social network, the Linux/Moose botnet uses IoT home routers to proxy the traffic. The botnet is able to hide its location and make the request look like it comes from a regular DSL or cable line, so the botnet can spread the request across thousands of IP addresses," GoSecure's head of cybersecurity research Olivier Bilodeau told IBTimes UK.

"This is the only botnet that is really uniquely focused on social media fraud. Creating false accounts only breaks the site's terms and conditions, but using a botnet is illegal. I used to analyse Linux malware where proxy servers were used to do ad fraud, for example clicking on ads that were never displayed properly but they get the ad revenue anyway, and DDoS attacks. This is interesting because this botnet doesn't do any of this. It's focused on a smaller but profitable segment of the online fraud market."

What makes these cybercriminals so unique is the fact that they are essentially hiding in plain sight. They have websites on the open web offering the service or procuring fake likes and follows, and they even support popular payment gateways like PayPal and major credit cards.

"It looks legitimate. The criminals make money and they probably declare taxes on it, but it's all happening on a botnet," explained Bilodeau. "There's no direct victims to the crime. This is the next thing the criminals are moving to because there's a low risk of getting caught and even if they do get caught, the damages would be complicated to explain to the judge. It's a very clever scheme, quite a perfect cybercrime."

Because the cybercriminals are hiding in plain sight and running legitimate businesses, they are unlikely to be major targets for law enforcement. However, what they are doing is still illegal, so GoSecure hopes that by highlighting this new business model, something can be done to stop them.

"The quality of the service is not even that good," said GoSecure cybersecurity researcher Masarah Paquet-Clouston. "The fake followers get flagged as spam in the weeks and months after they follow you. Operating a botnet is a crime, and they're getting paid for it."