The Posts for Counterfeit Merchandise – Once the account is created, it joins hundreds of groups and posts ads. The pattern for the posts these fake profiles are proliferating consist primarily of a sales pitch, a website link containing various domains primarily made up from .tk websites without canonical references followed by a picture of the supposed merchandise to be sold.
Using the Russian Business Network as an Intermediary – These actors are using Russian Business Network IP addresses as intermediaries to host the .tk redirectors. This technique is being used as an evasion tactic to prevent easy discovery and blocking of the offending counterfeit merchandise website.
Mass Redirection Using .tk Websites – The actors create multiple redirectors hosted on the same IP address over time
The researchers proved that cybercriminals adopted method of replication being used here is replicated over multiple domains, with multiple redirectors. They also identified the pattern followed by the counterfeit merchandise websites despite they use to rotate domain, hosting, registrar and geo-location, distinct patterns exist across all the websites being distributed centered primarily against the actual content.
FoeI suggest the reading of the interesting white paper ….
(Security Affairs – Facebook, Cybercrime, Cybercriminals Leveraging Facebook Report )