Thursday 4 October 14:00 - 14:30, Green roomMasarah Paquet-Clouston (GoSecure)There is no doubt that there has been an increasing interest in understanding the industry of social media fraud (SMF), which is the process of creating fake 'likes' and 'follows' on online social networks (OSN), and its potential deceptive capabilities. This paper explores an undocumented segment of this industry: wholesaling, from botnet supply operations to bulk reselling.To begin, the paper focuses on a previously unexplored aspect of Linux/Moose, an IoT botnet conducting SMF. Linux/Moose infects devices in order to use them as proxies to relay traffic to social networks. Its architecture includes a whitelist of IP addresses that can push traffic through those proxies, a feature reminiscent of a reseller model. We analyse the traffic fingerprints left by each IP address on the systems we infected and uncover the value of these whitelisted IPs, which is not what we had anticipated. Then, we collect information on bulk reseller panels, the direct working partners of the botnet operators. While analysing their striking similarities, we discover a new key actor in the industry: software panel sellers. We investigate the panels in an attempt to understand how they are connected to main SMF providers like Linux/Moose. Finally, we map the SMF supply chain, discuss key actors that, if targeted, would disrupt the entire industry, and show the likely unequal revenue division in the chain. This is a first review study on the wholesale industry of SMF. It provides key insights for actors willing to curb this illicit activity, from law enforcement agencies to policy makers and cybersecurity professionals.