Blame it on the Bots: FCC Bombarded with Fake Comments Using Compromised Identities

Posted May 17, 2017

Blame it on the Bots: FCC Bombarded with Fake Comments Using Compromised Identities

Last week, the imbroglio over a proposal to gut the FCC’s Title II net neutrality rules boiled over in unexpected and entertaining ways.

It began when Comedian John Oliver, host of HBO’s Last Week Tonight, urged viewers to visit a website called Go FCC Yourself to post messages in support of neutrality on the FCC’s comments page.

Shortly afterward, that same FCC website appeared to be the victim of a bot attack. The attack was designed to create the perception that consumers themselves are clamoring for Internet access that’s potentially slower, costlier and more cumbersome for some. Not exactly their best argument.

The fraudsters might have gone undetected, too, had it not been for what appears to be a comically dimwitted, and a shockingly deceptive, attack strategy.

Astroturf Wars  

Bots, of course, are software applications that execute automated tasks over the Internet.

Sometimes that includes botnets — networked or connected bots that leverage hijacked devices to target high levels of traffic at websites to crash them, as with distributed denial of service (DDoS) attacks.

Sometimes bots are used for credential stuffing — testing login credentials to break into sensitive systems. In still others, they’re used to spread fake news on social media platforms to sway public opinion.

Their use is rapidly accelerating.

In the first quarter of the year, there were more than 559 million bot attacks, according to our latest cybercrime report. That’s a 180-percent increase over the same period last year.

Hours after Oliver’s call to arms, the FCC reported it had been hit by multiple DDoS attacks that knocked out its comments page.

Experts are still puzzling out what happened. But either way, it looks as if a large number of anti-neutrality missives — comments running counter to Oliver’s pro-neutrality message — appear to have been part of a bot attack.

For starters, there’s the posting velocity — up to 17,000 comments in one 24-hour period. In total, there are at least 128,000 messages that all contain the exact same, pre-fab text.

Sadly, many such for-hire campaigns employ this kind of “astroturfing,” the process of obscuring a message’s true origin to make it seem as if it comes from individual, grassroots participants.

What is extraordinary is that many of the comments seem to have come from people who had no idea they’d supposedly sent them.

‘Pwnd’ Identities?

Investigations from several news organizations indicate many of these anti-neutrality comments are fake.

The critical clue to their lack of authenticity is that the bot seems to have rotated through names and addresses of “senders” in perfect alphabetical order, an improbable posting sequence.

Indeed, the contact info for these individuals match those within a leaked database of 1.4 billion compromised personal records, known as Have I Been Pwnd.

When contacted, many of these people indicated they hadn’t sent any messages, for or against net neutrality. In fact, several said they have no idea what net neutrality even is.

According to reports, the fraudsters may have used bots to fill this identity data into web comment forms. Such tools are often used in account takeovers — breaking into someone’s bank or email account, for instance.

Should We Fix it for Free?

When news of the bot attack first hit, we couldn’t help but laugh at its amateur-hour tactics. We were even tempted to help the FCC fix the problem for free.

After all, ThreatMetrix helps detect botnet attacks using its industry-leading account takeover solution, in addition to authentication powered by the ThreatMetrix Digital Identity Network.

Using context-based information to perform behavioral analysis of users, ThreatMetrix differentiates between human and bot activity the moment it reaches a site.

In categories such as retail, sites can see 90 percent of all traffic coming from botnets. There, our clients report being able to block these attacks with ease. Some even say they’ve seen overall attempts drop by 50 percent.

While the good-natured side of us wants to solve the FCC’s issue gratis, we know from experience it needs to be addressed at the source, through a systematic evaluation of the agency’s public-facing web properties.

Why? Because if history serves, the attacks will become progressively more advanced and broader in scale.

As government agencies continue to open their digital channels to the public, more sophisticated fraudsters will vary their attack velocities, with “low and slow” modes that can bypass traditional defenses. And commoditized “bot-in-a-box” offerings will increasingly enable even the most tech-clueless malcontents to launch attacks at the click of a mouse.

Sure, this first attack against the FCC involved silly and deceptive computational propaganda.

But as bots become more mainstream, new attacks will grow increasingly disruptive and even dangerous. Look no further than the botnets used in this month’s WannaCry ransomware attack that infected 300,000 machines across 150 countries, and endangered the lives of patients at dozens of hospitals.

Next time, bot attacks could be aimed at disabling the electrical grid, air traffic control systems, or nuclear missile defenses. Indeed, 70 percent of critical infrastructure organizations indicate they have experienced a cyberattack of some kind in the last year.

That means comprehensive solutions are required if the government’s new cloud-based computing and security frameworks are to be successful. In that case, we’re here to help.

Regardless of where one stands on net neutrality, here’s hoping we all got the message — even if it’s not the one these fraudsters intended.

Alisdair Faulkner

Alisdair Faulkner

Chief Products Officer, ThreatMetrix

close btn