A recently uncovered influence campaign presents old terror news stories as if they were new, likely in an attempt to spread fear and uncertainty, Recorded Future reports.
Dubbed Fishwrap, the operation uses 215 social media accounts that leverage a special family of URL shorteners to track click-through from the posts. At least 10 shortener services are used, all of which run the same code and are hosted on the same commercial infrastructure.
The campaign was identified using a Recorded Future-designed “Snowball” algorithm that allows for the detection of “seed accounts” and the discovery and analysis of additional accounts engaged in an operation.
Fishwrap was initially detected through the automatic tracking of terror events only reported by social media, which led to the identification of around a dozen accounts engaged in spreading old terror news as if it were new.
Recorded Future’s security researchers then applied the Snowball algorithm to the small set of identified posts which led them to the suspicious activities that more than a thousand profiles have been engaged into.
To narrow down the activity, the researchers then looked at similarities related to temporal behavior, the domain of the URLs referred to in the accounts’ posts, and account status.
This revealed three different activity periods, with clusters of accounts active between May 2018 and October 2018, between November 2018 and April 2019, and active during the entire time period (May 2018 to April 2019).
These patterns revealed the launch of a series of accounts in May 2018, many of which were shut down in October 2018, which resulted in new accounts being created only a few weeks later.
Some of the accounts were found to post, to some extent, identical URLs. Overall, the researchers identified 215 accounts that posted only links created using 10 domains hosting URL shortener services. Some of the accounts use multiple shorteners, but each of the domains has a fairly large number of accounts referencing to it.
Analysis of the HTML code for the 10 URL shorteners, all of which are anonymously registered, reveals that they all appear to be tracking all agents that follow the links, which suggests that the actors are looking into measuring the effectiveness of the operation or to profile the “captured audience” of the operation.
While a fair percentage of the accounts have been suspended, there has been no general suspension of accounts related to these URL shorteners, likely because they were posting links related to old, but real, terror events.
Source: infosec island