The Tradecraft of Fake Sites and Online Personas
Carefully crafted fake websites and fraudulent online personas have the potential to not only influence public sentiment and voting habits, but also fuel the cybercrime economy. State sponsored hackers and entrepreneurial cybercriminals alike are increasingly engaging in the practice of running fake empires of phony news sites, web properties, social media facades and online personas.
In fact, the recent World Risk Poll ranked fake news as the biggest global cybercrime concern today, according to Lloyd’s Register Foundation, which ran the survey.
Fake news and fake online persona strategies have a history steeped in phishing and malware propagation schemes. From the earliest days of typosquatting attempts, which use mixed up spellings for common news sites to trick users with a thin veneer of legitimacy (for example, standing up a fake CNN site under a domain like cmn.com) fake sites have long been prime hunting grounds for cybercriminal fraud.
That trend continues, but as it does so the sophistication of the fake sites and fabricated online personas has grown more nuanced. And in the process, criminals and state-sponsored hackers recognize that they can squeeze far more out of fake web properties than just workaday phishing attempts.
The Tradecraft of Fake Cyber Empires
As various criminal and state-sponsored threat actors join into the act of building fake empires of fictitious personalities and journalists, as well as counterfeit news and shopping sites, a whole black market industry has grown up to support the complicated web of deceit. Some of the tricks of the trade include the following:
Social Media Manipulation
Last year, security researchers Masarah Paquet-Clouston and Olivier Bilodeau from the Cybersecurity Research team at GoSecure went into great detail at BlackHat about their four-year investigation into the structured industry that powers the social media manipulation market. This industry is at the heart of the tradecraft of creating fake personas. They discovered rampant use of malware and Internet of Things (IoT) botnets to compromise and game vast numbers of social media accounts in order to drive Likes, Follows, and clicks to accounts held by whoever wanted to buy the ‘influence.’ This army of bots helped to build up the instant popularity and apparent legitimacy of a fake or real person, or to put ‘follower weight’ behind certain posts, products, or services.
And because often the botnet and malware dirty work is decoupled from the sale of Likes and clicks on black and grey markets, many fraudulent operators jump in on the profitable practice of social media manipulation because it only flirts with illegal activity.
“So it’s not only feeding malware writers, it’s also feeding lots of people that are actually taking advantage of that gray area that some might call ‘social media marketing,’ but is in fact social media fraud,” Paquet Clouston said in an interview about the research. “And it’s enhancing the fake news and the fake information that we find online, which has an impact on society.”
Cybercriminals make ample use of bots and artificial intelligence (AI) to trawl the web for legitimate content that they can then use to populate fake news sites, fake shopping sites, and fake social profiles with realistic looking articles and stolen personal photos to quickly build out convincing web properties.
Security researchers observed this activity going into overdrive as the novel coronavirus pandemic started to rear its head in early 2020. Cybercrooks were actively on the hunt for coronavirus articles, as well as e-commerce content around popular items like hand sanitizers and face masks to populate their fake sites. Researchers found that as the content scrapers were gearing up their scams in late February 2020, automated bad-bot activity made up almost 28% of the traffic on media sites, and 31% on ecommerce sites.
Taking Over Marginal News Sites
In some instances, the attackers don’t just scrape content but also create their own custom content for the purpose of distorting the reality or opinion of viewers, or to layer in a high degree of verisimilitude for a deeper deceit. In order to get quickly online, the bad guys will sometimes take over niche news sites for their own malicious ends.
For example, in a recent comprehensive threat report written by the BlackBerry® Research and Intelligence Team, security researchers detailed an entirely fake empire built out by the threat group known as BAHAMUT. The group runs a whole web of fake news sites and fraudulent social personas to carry out its schemes, in some cases using domains that were previously legitimate. In one such media takeover, the group re-registered the domain of an information security site, Techsprouts, and pushed out original content in the process.
An analysis of the so-called contributors of the site showed they were actually not who they claimed to be:
“For example, the image of “Alice Jane”, a senior writer, was actually that of Julie Luck, the evening anchor at the local CBS station in Greensboro, North Carolina,” BlackBerry researchers stated in their report. “She was not the only broadcast journalist whose image was repurposed by Techsprouts. The photo of “Allen Parker” was actually that of Brian Shrader, a reporter and anchor at the local NBC affiliate in Raleigh, North Carolina. Their biographies are impressive, but upon further inspection, it is apparent that the thumbnail photos of each author seen throughout the site have been appropriated from other sites and other people with quite different names.
The motives of these kind of schemes and the painstaking tradecraft taken in building out fake sites and personas are varied and numerous. They include:
Obviously, phishing remains big business globally, and fake sites will most readily convince people to give up their credentials or download malicious content. The more convincing the fake site, the bigger the target attackers can net.
For example, back in 2014, the Newscaster attack by Iranian cyber spies successfully targeted high level officials by creating fake personas of journalists and others in order to eventually spear-phish credentials. This kind of attack still remains a concern in the military and intelligence communities today, as evidenced by this warning from the U.S. Army to its troops:
“Frequently, CID receives notifications from individuals stating they were scammed online by someone claiming to be a Soldier, but in reality it was an online scammer who has used an unsuspected Soldier’s name and available social media photos to commit a crime. No one is immune from becoming a victim. Scammers steal the identity of senior officers, enlisted personnel, contractors and civilians.”
“By monitoring your social media identity, you can protect your Army family and your reputation,” adds Special Agent Marc Martin, deputy director of operations for CCIU. “The criminals will use factual data from official websites and Soldiers’ personal social media sites, then prey on vulnerable people’s trusting nature and willingness to help the Soldier.”
Fake sites and impersonation fuels a large percentage of online scams today. This includes straight fraud based on recent news stories, such as the too-good-to-be-true lures of discounted personal protective equipment (PPE) at the height of resurging COVID-19 fears, as well as business email compromise (BEC) attacks. It also includes widescale advertising fraud.
Political Chicanery and Market Manipulation
Fake news is increasingly used for the sake of propaganda and political chicanery. The right amplification of a fake news report can induce scandal, influence votes, and color the mood of vast swaths of credulous readers. Similarly, these sites can be used to move market, and trends like deepfakes could make it possible to put false words in the mouths of politicians or executives in order to impact voters, investors, or consumers.
Criminal Market Research
Another potential motive could potentially be market research of intended targets. This was one of the speculations in the BAHAMUT report, which explained that sometimes sites like Techsprouts are used to discern the click habits of their targets. This is just a theory at this point, but not a farfetched one to consider.
Finally, criminals love to build up legitimate looking sites to act as a front for malicious back-end activity. Many of the sites linked by the BAHAMUT report to the group were used to serve malware or exploits, or act as C2 infrastructure for backdoors and phishing campaigns.