image
An influence operation that recycles old news about terror incidents and re-publishes them as if they were new is making the rounds on social media, according to Recorded Future analysis. The technique, which the researchers have dubbed Fishwrap (since it repurposes old news), is also using a special family of shortened tracking URLs to record click-throughs from the posts used in their campaigns. The efforts have been going on since mid-2018. Influence operations aim to change public opinion through social-media posts, as a form of propaganda with political ends; in this case, the firm found at least 215 social-media accounts participating in the Fishwrap operation. As an example of their efforts, accounts were for instance spotted posting about a real terror event that took place on November 13, 2015 in Paris as though it occurred on March 23. “The URL-shortened link in the post led us to an article about the original event from November 13, 2015,” researchers said in a Wednesday posting. “While many readers would probably not scrutinize the publication dates, it is easy to see how the post could cause concern for those reading it and prompt them to follow the link to validate the news, missing the difference in publication date.” All 215 accounts use the same family of the aforementioned URL shorteners hosted on paid domains; at least 10 different such services are used to track the effectiveness of the operation. “All of these URL services are running the same code and are hosted on the same commercial infrastructure,” according to Recorded Future. “The accounts’ behavioral similarity leads us to believe that they are all part of the same influence operation.” Since account holders are most likely fictive and the domains used for the URL shortener services are registered anonymously, attribution is difficult; however, the Fishwrap campaign is likely a coordinated effort mounted by a sophisticated adversary, researchers said. “The fact that the operation has been going on for close to a year, and that it is spending money on numerous domains on dedicated servers, leads us to believe this is not just someone running the operation ‘for the lulz,’ but rather, a political organization or nation-state with an intent to spread fear and uncertainty and track followers of the posted links,” analysts said. Interestingly, within the 215 profiles, two clusters of accounts emerged: Those active between May to October 2018; and those active between November 2018 to April 2019. Some accounts were also active during the entire time period, between May 2018 to April 2019. “These temporal patterns indicate the launch of a number of accounts in May 2018, many of which were shut down in October 2018,” the researches said. “These were followed a few weeks later by a new batch of accounts with the same behavior and still in operation.” There are also two clusters of the URL-shortening domains corresponding to the two time frames that Recorded Future identified in the temporal analysis. Eight of the domains were created just prior to the observed start of the campaign, and the last two were created a few weeks before the launch of the second wave of the campaign. “Upon closer inspection of the status of the accounts, we note that a fair percentage of them have been suspended,” according to Recorded Future. “The degree of suspension varies between different URL shortener service clusters, but it is clear that there has been no general suspension of accounts related to these URL shorteners. We believe one reason for this is that by posting links related to old, but real, terror events, the accounts are not in clear violation of any terms of service, and therefore have not been suspended due to either automatic identification or manual reporting.” Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. *Join Threatpost *and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.

Source