Online platforms around the world face persistent onslaughts of automated and manipulated traffic designed to repurpose or hijack the site. Social media platforms become spam venues. Drop shipping stores make use of fraudulent reviews on their products. Document collaboration tools become malware command and control. Media feeds promote unhealthy or exploitative content because of “like farms” halfway across the world. When so much automated abuse pervades, sometimes it feels like we just can’t have nice things. If you build it, the abuse will come.
Online wikis are no exception to this rule. Wiki site maintainers and security teams are tasked with the next-to-impossible mission of preventing rampant manipulation of content on their platforms. When you consider the breadth and size of those repositories juxtaposed to the often miniscule size of their security teams, it is clear that smart automation and triage is necessary.
In 2022, a wiki service (Wiki A) approached Spur regarding some tradecraft they identified on their platform. A state sponsored actor was manipulating historical records on government led human rights violations. According to their research team, the actor would stage or harvest US based accounts, and then at a later date try to add or modify content using this US profile. In order to fit their persona, the actor had to use anonymization tools in order to come from a US based residential IP Address. This would bypass some of the first order filters and detections for regionally manipulated content.
The Wiki A security team had done an incredible job identifying this pattern and isolating some of the actor’s tradecraft. The next step was to build on this knowledge and generally enrich modification requests so they could be easily identified or rejected. When Spur works with our customers, we prefer to establish a collaborative relationship. We get tips and leads all the time on new or emerging services. This helps our customer outsource this area of expertise to us, and keeps our products one-step ahead of tradecraft changes by attackers. The Wiki A team was fantastic at providing our researchers with insights and details into the anonymization service being used to bypass their existing platform security rules.
Expanding on success
In short order, the Spur research team was able to reliably build fingerprints to map out the active infrastructure for the entire anonymity network being used. With Spur’s datasets, the Wiki A team could now apply this triage strategy across their entire platform. Not only were other
state-sponsored campaigns identified, but entire sub-industries of wiki influence services were completely neutralized.
While this is only a sliver of the issues faced by user-source content, the lesson serves a few useful lessons. First, so many baseline content protections have been built from archaic IP blacklist mentalities, that many motivated actors will simply pay to get the infrastructure they need to get past them. Second, if one actor is using a technique against you, you can make a pretty safe assumption that others are as well. Finally, taking in a broad data-set like Spur’s can illuminate the interaction between users intentionally rotating and hiding their identities, versus ones who are simply using networks as normal. In some cases obscured connectivity is of little significance. In other cases, especially when a pattern of abuse has been established from a service, it can be a sufficient signal to take preventative action.