Data collection and categorisation of Maladvertisment campaign

Data Collection

StormEye began the investigation on 2 Sept 2019 and collected the related Facebook advertisements between 2 Sept 2019 and 13 Sept 2019. StormEye completed the analysing of the collected data on 18 Sept 2019 and has concluded 26 of them could be validated against the defined criteria, as shown below. All the validated advertisement details are listed in Appendix I. The criteria of the data gathering, and validation are as below:

1. Context is written in Chinese

2. Context is related to Chinese celebrity

3. Context is related to cryptocurrency investment

4. Context is related to how to earn or gamble money

Categorising Data

To fully understand and enable a deep analysis, the collected advertisements were categorised into 3 types.

Type 1 - Sites likely to be crafted and managed by the hacker:

a) Pure web hosting for false/maladvertising news

The context hosting website appeared to be statically created, without any feature of interactive functions and query to database or external data.

b) Timing of web hosting

The website was found to have been crafted and designed before a campaign started.

c) Uncommon Top-Level Domain

The Top-Level Domain (TLD) of the landing website appears to be uncommon. There are 2 uncommon TLDs found in the collected data, including .info and .club.

d) Hyperlinks redirect to a Bitcoin maladvertising website

All the hyperlinks found on the website are redirecting users to a Bitcoin maladvertising website.

Type 2 - Suspected hacked/compromised websites:

a) Suspected being hacked/compromised website

The website is likely to be legitimate, not crafted or managed by the hacker.

b) Suspicious/Malicious script injected at the top of the website

A long and obfuscated JavaScript code is injected at the top of the website to

1. redirect users to the designated maladvertising website; or

2. create a layer of maladvertising context on top of the original context; or

3. show the maladvertising context randomly or for the first time arriving the website.

c) Hyperlinks redirect to a Bitcoin maladvertising website

All the hyperlinks found on the website are redirecting users to a Bitcoin maladvertising website.

Type 3 - Suspected hacked/compromised site without redirection and maladvertising context:

a) Suspected hacked/compromised site

The website is likely to be legitimate, not crafted or managed by the hacker.

b) Implanted random news or context copied from other sites or content farm

The website appears to be a blog post or static page showing the context unrelated to Bitcoin investment. However, these sites were included in the analysis because StormEye observed some of the confirmed websites contain similar context.

c) Potentially being used in the upcoming malicious campaign

StormEye suspects that these websites are being compromised recently; these being monitored and prepared for upcoming malicious campaign.

The following chart shows the percentage of collected data in type of website.

The following chart shows the percentage of collected data in the status of website.

#collection #categorisation #maladvertisement #stormeye #hacker #fakenews #top-level #bitcoin #hyperlin #malicious

More articles about Maladvertisment Campaign:

Investigation of Maladvertisement Campaign

Background of Maladvertisement Campaign

The Analysis of Maladvertisment Campaign

Campaign Information

Content Analysis of Maladvertisement Campaign

Technical Analysis of the Maladvertisement Campaign

Extended Investigation of Maladvertisement Campaign

Suggestion and Recommendation of the Maladvertisement Campaign

Final thoughts about Maladvertisement Campaign