Threat Actor Collects Personal Data from Thai Users via Facebook Spam Campaign

It all started when I noticed some suspicious Facebook ads. They resembled spam campaigns run by fake versions of popular Thai Facebook pages, such as well-known news reporters, which typically have millions of followers.

The threat actor behind this spam is leveraging Facebook advertisements to maximize their reach to Thai users. It’s disappointing that Facebook’s poor validation process allows such spam ads to be easily approved.

This spam campaign features messages offering extra discounts on the “Apple Watch Series 9” and “JBL Boombox 3,” urging users to follow a URL provided in the message. The domain name tries to masquerade as the CentralWorld website. In this case, the URL in the spam message is hxxp://www.centralworld-tha[.]online/applewatchs9.

The website exploits visitors’ greed by enticing them to submit their full name, phone number, and address in exchange for purchasing the merchandise. Additionally, the threat actor employs a fake countdown clock to pressure visitors into hastily providing their personal information through the form.

Upon visitors submitting their information, the website’s front-end displays the enticing message, while the back-end sends the gathered data to the Command and Control (C2) server using the POST method. In this case, the data was transmitted to api1.ldpform[.]com.

This is a simple yet effective spam campaign designed to gather personal data from Thai individuals, employing Facebook advertisements as its primary tool.

Attribution and Infrastructure Analysis

The domain name centralworld-tha[.]online was registered on May 2, 2024, making it a relatively new website at just 17 days-old at the time of this analysis. The presence of broken Thai language on the website indicates that the threat actor behind this campaign may not be proficient in Thai as their primary language. Additionally, examining the registrar and registrant information suggests a potential connection to a Vietnamese-based threat actor.

The C2 domain ldpform[.]com is also associated with the domain name ldpform[.]net. Upon inspection of the ldpform[.]net website, it was observed that Vietnamese language content is present on the server.

While searching for domain names using a similar naming schema, I also discovered additional domains containing the word Centralworld. These domains are still under the control of Vietnamese administrators. Examples include centralworld-th[.]site, centralworld-th[.]shop, centralworld-th[.]asia, centralworld-th[.]store, and centralworld-th[.]com.

This information further supports my theory that the threat actor behind this campaign is indeed Vietnamese-based.