There was no train station. There was no downtown.

There was no train station. There was no downtown.

I have been struggling to write about this network for a while. Coordinated inauthentic behavior. It’s big, tangled and sophisticated.  It’s fascinating and spooky.  I don’t know what direction to approach it to start unwrapping the layers and I am having trouble coming up with a catchy theme to tie it together as I pull it apart.

Back in March I stumbled into some stuff that I thought might be “big”.  As I dug in and started to map it out- I kept running into other bogus activity.  To avoid being distracted- but to not lose those other leads, I started a trash pile off to the side: unrelated questionable things to look at later. As I continued to dig, the trash pile grew, began to take shape and wound up being larger than the original investigation.

I took some time to arrange the secondary mess- which I eventually wrote about in “Implants and Extractions” My original plan for the year had been to tackle the problem of fake Native American Facebook pages from Eastern Europe- and now I found myself- like a whitewater rafter- being carried in a chaotic flood of foreign manipulation further from that goal and into the political spectrum.

I wanted to wrap it up with that original set before getting back to the insane situation with Fake Native Facebook, I need to tell the story.

Here is what I have:

  • A substantial cluster of Facebook groups mostly based off of Fox News Hosts
  • A tightly knit group of profiles who are the administrators of those groups
  • a handful of websites they push into the Facebook traffic stream
  • a set of supporting profiles who also seed links into groups

What’s holding me up?  Maybe it’s the question of doxxing.  Some of the groups have been able to enlist real people to work as moderators and I feel bad about the situation.  They probably don’t know what they are involved with, at least not the full extent of it. To complicate things more, some of those real Americans seem to running their own racket that closely resembles foreign manipulation, while some of the foreigners are using very authentic accounts alongside some synthetic ones. Facebook is going to have to sort it out with their tools and guiding terms of service.

A feature of this network that makes it harder to suss out, is it’s level of sophistication.  The ratio of spamming to cover is very low. The cluster of profiles puts a lot of effort into supporting behaviors, while there may be some automation, it’s clear a lot of human labor is involved.  What do I mean by supporting behaviors?

  • liking timeline posts made by other network profiles
  • sharing a random post made by a member in a group, onto their timeline
  • sharing other non-network content
  • posting memes and other non-monetized filler
  • indirect sharing of network content: reposting a network profile’s post
  • amplifying each other’s work in non-network groups
  • natural appearance of commenting
  • network group focus seems more about growing membership than spamming

The main websites:

  • Educationblogit.blogspot.com
  • Washingtondailynews.today
  • Openingnews.info

The motive seems to be profit, not propaganda. The restraint these clickbaiters show and the care they take in spamming makes them stand apart from the typical rabble who games for traffic… in fact the sloppy ones provide some distracting cover.

For example- this morning when I visited one of the network groups to grab some screenshots- I saw they were being spammed by 2 bots seeding links for a website from Macedonia.  It’s possible that they have an arrangement or this spammer has intruded on the network’s audience.  Seven posts, five stories, three hours, two bots, one website… a person wouldn’t be unreasonable to assume that this group’s function was supporting links for the Macedonian. Having two different bots seed links to the same story into a group just four minutes apart- or for one bot to post the same story twice in an hour? That’s just greedy sloppy scheduling of the autoposter!  A clickbaiter can only get away with this sort of garbage with an audience of the lowest hanging fruit and admins who don’t care. (Not to mention the Facebook platform AI that has a big blindspot in its spam and bot detection)

This slideshow requires JavaScript.

Let’s dig in shall we?
Here is the list of groups I came up with:

This slideshow requires JavaScript.

Many of these groups were made throughout 2017. Together they have over 21,000 members. There is also a Judge Jeanine group on MeWe. The Candace Owens Fans group is the newest, made on May 3, 2019. It has the largest membership of the remaining groups with over 5000 members. Several huge groups were recently deleted and two of them each had over 50,000 members- they were:

  • Judge Jeanine Pirro Fans (59,046 members) facebook.com/groups/1230962870360457
  • TV Fox News Babes! (3000 members) facebook.com/groups/429183807440213
  • Bill O’Reilly Fans (65,000 members)  facebook.com/groups/121482205071024

This slideshow requires JavaScript.


On that note, I would like to take a moment to implore Facebook to be more transparent and communicative about the actions they take and why.  The American conservative community justifiably feels that they are under some sort of censorship attack. Facebook publishes blogposts that merely quantify the number of profiles and groups removed. Without listing them specifically or notifying the involved parties- the resulting voids confirm suspicions about censorship. While the censorship conspiracy gathers evidence and rumors circulate, nothing is offered to help people understand how their filter bubble is shaped by foreign interference and the gaming for their attention by frauds, cheaters and scammers.

img_0026

Maybe people aren’t being censored, but they sure are being gas-lit!


Over the weekend the Candace Owens Fans group was locked down and there was some confusion about what was going on and who was behind it. Did Facebook do it? or had an Admin archived the group to do some maintenance?  Many felt that it was Candace Owens who was being censored… that’s because they don’t know that the group isn’t hers and don’t consider other reasons why the group might be in crisis.  The fact that those other groups were deleted and these nine remain, tells me that Facebook may not even be aware of the real problem with the group. Otherwise they would have done a more thorough job scanning the surrounds and looking at connections before they hit the delete button on the Pirro and O’Reilly groups.

Update August 14, 2019: The Candace Owens Fans group has changed their cover photo and the Queen Bee, Alexandra, has either deactivated her account or it was deleted by Facebook.


I would like to mention that I discovered and logged the majority of this network in a spreadsheet in a time when the graph search was still functioning.  I do not know if this ever would have come together for me as it did, without that tool.  Yes, there are still ways to find things- I’m not going to give up, but things got a whole lot harder for people.


The Admin team of the Candace Owens Fans group consists of 11. There are five I’d like to highlight. I’ll start with Alexandra, I call her the Queen Bee.
img_9956
She went to college at the Ohio Christian University, is from Columbus and now lives in Circleville.  She has 358 friends and posts entirely political content from a wide variety of sources. Her profile picture, uploaded on January 21, 2019,  is a beautiful teal blue toned fantasy art of a mermaid in pearls emerging from a moonlit ocean.  Dreamy.

img_9966
The photos she has uploaded are mainly memes and glamour portraits of the First Family. There are a few pictures that appear more personal- but they don’t pass this dog lover’s sniff test.
That deer is nothing like what we have in Ohio, it’s not even an elk- it’s an exotic Sambar deer shot in Victoria Australia. The woman in the photo is Emma Sears.  As for the cute maternity pictures with that zig-zag summer top- that’s Whitney Bowie and you can read about it in this Buzzfeed story by Victoria Sanusi. The profile really is crumbling now, but I’ll add that the gender is marked as male and sometime around July 14- something happened to Alexandra’s timeline: a bunch of the content she had shared converted to “attachment unavailable” notifications.  Alexandra is an admin in all nine of the still active groups and the three deleted groups as well.

Next up is Eric Beaton.  His profile doesn’t have much info. Just 32 friends and one page like.  Not much to see here.

img_9967

He’s posting a random assortment of memes and shares of other people’s shares. If you were already familiar with the whole cluster of accounts- you’d notice that at least 20 of Eric’s friends are Admins, Seeders and Amplifiers of this network.  His profile picture is a spooky sullen grey wolf with glowing red eyes… and that picture was uploaded on July 14.  Hmm. So that probably explains why the profile link I had for him didn’t work even though he still appeared as an administrator in 6 of the nine active groups. That also might explain why so much of the stuff Alexandra shared before the July 14th had vanished. He was also an admin in all 3 of the deleted groups. His profile was probably deleted and he just made a new one and went back to work.

Matt Todd, originally from Beavercreek just outside Dayton and now residing in Lima is another Ohio native with a bare bones profile.  He’s marked as female, the friends are hidden.

img_9969

He has only uploaded three photos ever. The cover photo and profile picture (both of President Trump) were uploaded on January 19, 2019. (That’s two days before Alexandra uploaded her profile photo for those keeping track) Matt’s timeline is a wreck.  Of the 35 posts publicly visible going back to January (including the profile pictures) 20 of them show an attachment unavailable notice.

Ever since we lost graph search I have gotten in the habit to check who has liked a photo.  When Matt Todd updated her profile picture, a bunch of people liked it. I see some familiar names and the ones I don’t recognize are people from Kosovo, Serbia and Albania. Matt is an admin in 6 of the remaining groups and was an admin of the deleted Bill O’Reilly group.

img_9975

Next up- Eni King. He has an even 100 friends. The groundhog profile picture was uploaded that week of January 25, 2019… it’s been replaced with an American flag.


What’s special about him is that he’s promoting one of the network groups, “We Stand With Sean Hannity” as well as pushing links to the network websites on his timeline, THEWASHINGTONDAILYNEWS.TODAY and EDUCATIONBLOGIT.BLOGSPOT.COM.
I call this sort of thing a trailheadIf I stumbled across this profile at random-  there would be plenty of clues to follow down the rabbithole to discover this network of groups. Eni is an Admin in 4 of the active groups and was an admin of the Bill O’Reilly group too.

This slideshow requires JavaScript.


There is another Eni in this network, Eni Sutton.  There are also a handful of Kings. There’s Dorothy Powell King, Loris King, and Ed King.
Eni Sutton is an admin in 4 of the remaining groups and was an admin in the two huge deleted ones. The King bunch aren’t admins in the groups but are supporting seeders, commenters and likers, you’ll see that in a minute.

So here is where the dystopia of inauthenticy really ramps up.  Can I give you an assignment? The window for seeing this “live” may be very short- so I’ll include some screenshots for future readers.  If you go in a big conservative Facebook group, one of the non-network ones…. (I recommend this one with 151,000 members– it has a lot of the network has embedded)  Choose the name of one of the profiles I mentioned, and search in the group for their name. Look at their posts and note what they share.  Then open the comments and take note of who is commenting.

There are a few more profiles I’d like to briefly introduce- this is far from all of them.
Laura Carton is admin in the Hannity and Sarah Sanders Supporters group. Her profile dates back to 2013 and says she is from California City California. For a long time her profile picture was a rather smug looking older woman, and that photo is the only picture of that woman in the assortment of MAGA memes and stock Trump pics uploaded. She shares a wide variety of posts but never anything personal.  Around May 27th something happened, as her timeline falls to pieces before that date.

Ricky Meadows is a very hardworking supporting actor, but is only admin in one group, the closed “The TREY GOWDY SUPPORTERS” group.  The profile was made March 6, 2019 and now has over 1000 friends. (clarification edit: Ricky’s profile is a vintage 2012 model- but the public posting activity begins in March 2019. Also- He just changed his profile photo to a tree.)
img_0021

Then there’s Kate and Julie.  Kate J. Bowenn’s profile was made July 2nd and her friend list is an almost pure collection of the network knot. Julie J. Bowenn’s profile was made July 18th and the first posts she made that day now show as unavailable. She shares a wide variety of mainstream news links to her timeline and is an admin in Tomi Lahren Fox News & I stand with Sean Hannity.

I can’t leave out Adam J. Coffey of Lima Ohio or Adam Coffey. David Coffey’s profile from mid January was deleted as was Jack D. Good’s profile from November of 2018.  Jack bounced back in mid July 2019 and was an admin in the huge Judge Jeanine and Bill O’Reilly groups until they vanished. Now only the Candace Owens Fans remain under his watch.

Steven Orchard of Toledo Ohio made his profile in mid July and mixed in with the Trump memes has also shared an inviting post promoting a resort on the Albanian Adriatic sea-coast- (just a stone’s throw from Bari Italy which happens to be where some of the websites are registered.)   There’s the adorable little Bona Kasa of Circleville Ohio (that’s where Alexandra is from) who mostly posts in Albanian language content on her timeline- but has no problem posting captions and comments in English when she does support work in many groups.

I sure wish I could use graph search to see what groups this one is in.

I recently found @CindyOtis_ on Twitter, she has a book coming out next year on Identifying and Fighting Fake News.  Her cover photo is a slide from a DFR presentation:

img_0103
Slide by Andy Carvin Photo by Cindy Otis

I couldn’t agree more.  I frequently think of the modern fight against disinformation like the Victory Garden of the past- it’s something we all need to do. Everyone has to pitch in for our efforts to pay off.  When I think of how many people came in contact with this foreign network every day, Americans even working with them as admins in their groups!… and the administrators of the other American groups who let them in and let them post- looking past all the spamming. The people who have friended the fake profiles, the audiences who take the bait and go along with the plan.  Yes, many real people protect their privacy and many have a separate anonymized account just for their political soapbox- this provides a perfect environment for inauthentic players to do their thing without being called to account.  I think we have to stop being quite so trusting and accepting- and I don’t mean getting paranoid- I mean getting smart.

One last thing Americans, if someone ever calls you out and doubts your authenticity or intent.  Don’t get offended.  You should be happy to have the opportunity to prove yourself.  Thank that person for caring enough to stick their neck out and ask. Patriotism isn’t just an American Flag for a profile photo. Do what it takes to reassure them.

Special thanks for the cover Photo by Kai Oberhäuser on Unsplash

The Taco Keto Secret

The Taco Keto Secret

Three days ago I saw a tweet from Nathaniel Gleicher, Head of Cybersecurity Policy at Facebook- The latest blogpost at the Facebook Newsroom.

Read it here (later)
Removing Coordinated Inauthentic Behavior in Thailand, Russia, Ukraine and Honduras

I like to keep up on these to see what is going on around the world. I wish I had the tools that the Facebook teams do, and wish I could communicate directly with them to show them the things I find, even without those tools.

This update was pretty long and I started skimming through the middle but at the end, in the Honduras part, I saw something that made me sit up-

Finally, we removed 181 accounts and 1,488 Facebook Pages…

What!!???

That ratio is totally wacked.
Did they make a mistake when writing this up? 1488 profiles and 181 pages would sound more typical- but why would there be such an absurd number of pages with so few supporting profiles?… I read on

…that were involved in domestic-focused coordinated inauthentic activity in Honduras. The individuals behind this activity operated fake accounts. They also created Pages designed to look like user profiles — using false names and stock images — to comment and amplify positive content about the president

Oh wow! This tactic is news to me… VERY interesting! I’m going to be on the lookout.

By 2:22 that afternoon I stumbled across this:

img_9029-1

I bet this is one of those pages that looks like a profile that Nathaniel wrote about.”
Quickly hitting the name Aria Grayson to view what other posts this profile had put in the group. There was this orange one… and then a whole lot of this:

img_9152

 

There are quite a few things I take away from this:

  • Aria has been posting in the group for a while (she joined in mid-January 2019)
  • Whatever she was spamming is gone now.
  • She got lots of engagement and shares with whatever it was she was spamming.

Even though the thing she shared is gone now (typically this indicates a page has been removed by Facebook) the comments remain and give a clue to the type of baiting the posts contained.

These comments came from two different posts.

Aria looks like a bot working for a network which has lost at least one page and has replaced it with something else.
Let’s go look at Maria Levy shall we?

OK!  Maria Levy is a page, and not a profile of a woman using a picture of the President for her profile. 2,156 people have liked it, and thankfully, despite it’s smaller size- the page transparency tab has some information for us- the page is from Pakistan.

img_9157
I am not surprised.
My next step is to look at what the page is pushing out. I see a lot of brightly colored engagement baiting posts as well as news articles from the website CONSERVATIVESVIRAL.SITE  A Whois search doesn’t tell us much. No transparency in website “about” information either.

Let’s go back to the Maria Levy Facebook page. I know a bot seeded an engagement bait post from here into a big group. This makes me think that there are probably other bots doing the same thing. Let’s find them!

I choose a post and click on the “shares”  This is a slow loading function. Be patient. Not all shares counted will show. Shares that went into closed and secret groups and privacy shielded personal timelines won’t show up- but posts into public groups (or private groups you happen to be a member) will show.

Tips for looking critically at shares and picking out the bots:

  • One profile shares the same post to many groups.
  • Several profiles sharing to groups in concert
  • Several posting the same caption
  • The earliest shares made soon after the post was put out are typically the bots, a week later? The organic reach.
  • Timestamps
  • The same profiles appear repeatedly in the sharing of many of the page’s posts

These clues are not proof of a bot, but are indicators of bot-like activity.
Here is what I start to see- and interestingly, not too much from Aria Grayson. I see a pattern developing with three other profiles:
Leah Gabriel
Chloe Carter  
Sophia Jackson

They share the engagement bait text-memes (although designed to look like a colorful large text short posts with a the stock Facebook backgrounds- these are images and not actual text based posts)

They also share news stories: I go to their profiles and notice some common threads.
  • Attractive young women
  • Employed at some sort of food chain
  • All University students
  • All have timeline posts with beautiful food, low carb and… Taco Keto?
  • Most have a visible friend list and most have many friends who “fit the profile”
  • They also have friends male and female, from foreign countries (mainly Pakistan) and next to no American friends who don’t fit the profile.

This slideshow requires JavaScript.

I start Google spreadsheet, open up a friends list of one of the Taco Keto Bots and start logging each friend’s profile URL. Because the cluster of friends is tightly knit- eventually I feel that I have gathered up the bulk of the bots plot the interconnections between them. Please remember, the women in these photos are victims of identity theft.

This slideshow requires JavaScript.

There are 44. Some names are recycled. There are three Avery Matthews, three Sarah Dylans, and two each of Aria Grayson, Maria Levy (not including the page Maria Levy) Olivia Liam, Paisley Levi, Penelope David and Zoe Elija. Also in the mix is, Makenzie John, with a man for a profile photo, but fleshed out with pictures of an American female with the accompanying circle of friends.

This use of multiple profiles recycling the same name reminds me of the Pakistan network who hijacked a bunch of American groups. (I wrote about them in part II of Implants and Extractions) and the use of Keto in the profile design reminds me of the cluster of bots, also from Pakistan, spamming for OREGONNEWSPRESS and THEDEPLORABLESOCIETY that I recently featured in a facebook page post. I haven’t found a connecting thread between any of these three distinct clusters.

I’m still trying to pick up the pieces from the “Great Graph Search Disaster of 2019” In the past I would look to see what groups these bots are in, it might give me more insights into what they are up to, and if maybe there are groups that belong to this network.

The Taco Keto aspect of this remains an open ended mystery. Are the spambots merely decorating their profiles with delicious looking food as a cover (as I suspect the MLMhunBots from OREGONNEWSPRESS are doing?) or are they working together to amplify the content of that page? The Taco Keto page says it’s in England. What they are posting is a mixed bag of content not Keto specific… so it’s a run of the mill sketchy content mill type of operation.

Although I can no longer use graph search see the a list of groups a spambot is in, I can find little scraps of clues. A  share from a page sometimes points to a public group the bot is spamming.
I found a share from Olivia Liam going to the “Low Carb and Losing it Original Public Group” and when I searched the group for her name, found the other Olivia Liam was also an active spammer!

The group says it’s in the United States, but features this host of Administrators:

Two of the Admins are pages from Pakistan:
Гермен – Page Layyah and Muhammad Isman Tahir Chisti

The latter page also hosts groups for:

WeeD Nation – (closed) claiming to be in the USA but which has the same admins as the Low Carb and losing It group.

Depression and Anxiety Support– (closed) Another private group allegedly in the USA with the same admin team.

Fibromyalgia Fighters’ Support Group– (Public) also marked as a USA group with this admin team. And featuring posts from the page Fibromyalgia Support for Women from Pakistan. The group serves as a platform to disperse links to the websites:

HEALTHYCARE247.COM

HEALTHCURE247.COM

DAILY.ALLABOUTHEALTIPS.COM

YOUR.ALLABOUTHEALTIPS.COM

These are standard issue low-quality health tips websites. The assortment of topics, Marijuana, Depression and Fibromyalgia closely mirror the groups that I discussed with Craig Silverman in 2017 and were detailed in his article:
Welcome to the Age of Cheap Overseas Information

The Fibromyalgia group appears to have no other activity aside from the steady stream of links being posted by (non-American) profiles.

img_9215

Summary: A new story from the Facebook Newsroom leads me to a rabbithole where I discover inauthenticity at every turn and that in two years, not that much has changed.

Cover Photo: Special thanks to Eiliv-Sonas Aceron on Unsplash

Implants and Extractions (part II)

Implants and Extractions (part II)

In Part One I described two bogus websites that were using a variety of tricks to game both the audience and the advertisers. I showed some fake/stolen profiles that were being used to seed links, memes and to control a group with a large audience and a narrow focus. I showed an admin team of nine that had somehow positioned itself to take over a group 88,000 strong.  All that together has a name now, it’s called “Coordinated inauthentic behavior.”

It was Coordinated inauthentic behavior coupled with Facebook’s ceasing followup reports on reported profiles last year that inspired me to start keeping spreadsheets to understand what was going on. Only because of my own records do I know that two of the seven profiles named Muhammad Adnan Farooqi were deleted.
img_3438

This is also how I discovered- today- that Facebook got really close to blowing this wide open. (I turned the spreadsheet sideways just because it’s so big, and I don’t expect it to be legible.)  That grey block all the way in the lower left corner… those are the pages and groups. There were 23 that I found tied together in some way..  Today I discovered that three of the pages were recently deleted and one of the groups was returned to it’s original owner!  I’d really like to get her side of the story.
(Those three grey bars on the left- those are the deleted pages) So at this moment, there are five pages and twelve groups that I know of that are being run by this network of click-baiters from Pakistan.

That one bright red line in the grey block- that is this page. Red is the color I mark things that are unusual or alarming.  I was so excited when Facebook finally rolled out the info & ads tab.  But I guess most people don’t even know it’s there.

getsmartyvote2020

Back to the spreadsheet, that block of pastel green- those are the profiles of Muhammad Adnand Farooqi, two with their URL in grey are gone now… oh- and I found a new one, so he’s back up to six active profiles. The sienna color, that is Zahida… she has three profiles.

getsmartyspreadsheet Each of the 8 colors represents one of 8 names that is repeated. (eight names- 35 profiles)  Many other profiles are not repeated and are just colored grey.  Each black bar is the title of a group with it’s administration listed below.  You can see the eight colors scattered throughout.  That’s the coordination.

getsmartyzahida1getsmartyzahida2getsmartyzahida3

Obviously, not all of these photos are the same person, so it is fair and responsible to warn that any of these photos may be of innocent people whose pictures were stolen just like the Facebook accounts. The URL names don’t match either.

If you have heard people mocking “Coordinated inauthentic behavior” or acting as if this was some sort of made up excuse for what they deem to be “censorship”, please share my blog with them and show them that this is very real,  and it’s not uncommon.  There can be a variety of motivations and it can come from inside or outside our borders. I feel sad to think that once this is published, that Facebook will swiftly make it all vanish and the opportunity to learn from it will be lost.

Hopefully the groups will be returned to their original owners, and those people will be given information about what happened and tools to evaluate their group membership and make sure that this doesn’t happen again. Perhaps professionals from Facebook could work with them to carefully comb through these vulnerable groups to be sure that they are not full of sleeper profiles ready to pick up where they left off.

Since the IRA debacle- how many pages has Facebook removed without even naming, only mentioning them as a count and maybe a country of origin or country of target? How are we to learn?
Here are screenshots I took in March of the three pages that are now gone.
106,133 people liked these pages.
Maybe some were the same person liking more than one page.
Maybe half were fake likes purchased to shoot the page up in the search results.
Maybe some were automated cyborg amplifiers who were programmed with a core list of conservative page likes to share from to build a convincing red white and blue timeline. What concerns me is that not a single one of these people is going to be told that these pages were pumping content into American filter bubbles from Pakistan.

This slideshow requires JavaScript.


If you added the page likes and group members of the whole network together… there’s 500,000 people who SHOULD be told that they were involved with a foreign network that was actively pitting Americans against other Americans.  This might be a rare time when the thought of bots might be a little consoling.  Maybe it’s not really 500,000 red blooded Americans who were so blind and easily manipulated. Maybe there were only 200,000 real people and the rest were just bots pretending to be housewives from Texas. OK, maybe that’s not so comforting.

Diamond and Silk Fan Page (group) – 88,710 members

Conservative Voters 2020 (group) -36,636 members

Trump Fans (group) – 22,814 members


Sarah Huckabee Sanders Fans (group) – 12,076 members

Sarah Huckabee Supporters (group) – 7639 members

Conservative Values Across America (group) – 27,363 members

We Are Conservatives (group) – 40,273 members

Vote Trump 2020 (group) – 18,290 members


Judge jeanine Fans Group – 8981 members

Judge Jeanine Fans Supporters (group) – 5275 members

Tomi Lahren Fans (group) 26,699 members

Ivanka Trump (group) – 106 members

Ivanka Trump Fans (page) – 11,414 likes
gssIvankaFansPage

Judge Jeanine Fans (page) – 88,684 likes

gssJudgePage
2020 Make American Great Again (page) –  2358 likes

gss2020maga
Trump Train 2020 (page) – 117 likes

gsstrumptrain2020

Sarah huckabee sanders fans (page) – 18,492

gssSHSFans.jpg
Daniyal Political News (page) – 548 … this page hosts memes seeded into other groups.

gssDPN.jpg

Here is a word to keep close to your heart- “resilience” if you combine it with “propaganda” it makes a powerful search query.

Who could miss these admin teams and the posts they pushed out?

Few will have the chance to pick through and examine what happened. How were those profiles taken from their owners and the groups taken from their founders? Few will see  the comments left by all the people who fell for the bait, or how quickly the commenting from a “mainstream” audience plummets without the guiding oversight of an invested moderating team.

These blog posts, for the most part are about the network who played this audience… but for me- my nerves were tested, not by what they did- but by the audience- their comments and attitudes. The tenor of their daily discourse. I can’t articulate what I have been exposed to. I can’t even write a conclusion at the end of this, it’s just going to end abruptly with all the other words unspoken.

The lists that Facebook would show you today of the names of your friends and relatives already in the group to entice you to join… tomorrow, if a group is deleted, not even the members will have any tangible evidence that it ever even existed or that they were a part of it. There will be no debriefing. Odds are they will never know.  They will never suffer a knock to their confidence of consumption… even after a massive recall.

contentunavailable

Maybe there will be some “Content Unavailable posts” knocking around, with just a few hints about what might have been there from the quips in the comments. Do people even know that those unavailable notices, sometimes caused by privacy settings… but more typically, when they are found in group postings, having collected comments- those are the shadows of bogus problematic pages that aren’t there anymore.  If you go in a group and scroll back in time and you see those rattly remnants, that is a clue… like syringes on a sidewalk… a street-smart person would use to evaluate the place where they are.

This is not the only network of its kind.  Don’t think that when this blows over it’s done.  People, we need to be vigilant.  We have to do so much better than this.

If you would like to learn more about detecting inauthentic behavior, my Facebook page Exploiting the Niche has some notes and videos as well as many posts that are examples.

Cover photo by Samuel Zeller

 

Extractions and Implants (Part I)

Extractions and Implants (Part I)

Update: 2 days since publishing…
I worked really hard on this. I thought it was going to make some waves.
Did my blogpost get eclipsed by a photo of a black hole?  maybe.

More likely I just had some bad luck surfacing when I thought sharing was going to be a sure thing. In the 2 days since this published, not only did this not get the traffic I anticipated- of the visitors I did have..
(THANK YOU! I know this is not light reading)
..only 1 out of 5 even clicked through to the part of the story that really matters! 

blogwoes
sad stats


If you don’t have time…

please just jump to part II and scroll through the pictures  

(The pictures are important! I made these screenshots for you!) 
 About 500,000 American Facebook users are being served political content from Pakistan who don’t know it.  I’m asking you to help me get the word out. 

JUMP TO PART II


Part I:
These ads were placed on a website called Getsmarty.site by Google Adsense.
Almost all of the ads I saw when I visited the site were for dental products and dental practices in my region. Obviously some regional targeting was at play, but I am not in the market for a new dentist.

This slideshow requires JavaScript.

This slideshow requires JavaScript.

Look closer at the website and you may begin to understand how the ads were targeted to a person visiting the site, it seems clear the reader is doing some research about getting some dental work done… right?

http://getsmarty.site/dental-implant-procedure-cost/
http://getsmarty.site/best-dental-implant-surgery/
http://getsmarty.site/dental-implant-complete-procedure/
http://getsmarty.site/dental-implant-procedure-and-restoration/
http://getsmarty.site/grafting-for-dental-implant/
http://getsmarty.site/risk-factor-in-dental-implant/
http://getsmarty.site/replacing-teeth-procedure/
http://getsmarty.site/dental-treatment-consult/
http://getsmarty.site/teeth-implant-recovery-timeline/
http://getsmarty.site/dental-cosmetic-related-compilation/
http://getsmarty.site/dental-implant-procedure-steps/
http://getsmarty.site/dental-implant-placement/

I wonder if dental implants are expensive? If a person reading articles about the cost and recovery time is going to spend a lot of money by the time it’s all over, and that dental practices would pay quite a bit to outbid their competitors in order to gain a new client? I don’t know that much about the going rate of dental ads on mobile. I don’t know that much about the cost of dental implants either. I guess I could read one of the articles.
I’ll take the first one off the top of that list:

“When people are searching and thinking about the cost that involved in dental The fastens are typically left set up for around seven to ten days. After this time and doing complete procedure while it would not be easy span the gum tissue dental specialist opening has been finished, the dental specialist will proceed with the boring procedure utilizing a lot of bits, every one of which has a somewhat bigger width.”

Clear as mud right? There are three paragraphs of that. I still have no idea how much dental implants cost.
And there is also some of this:



That bizarre article about Nancy Pelosi falling down drunk and being escorted out of the white house- is not my screenshot of the website. On Getsmarty it’s actually two photos of formatted text. So the dental text on the website is searchable, but the Nancy Pelosi story is hidden to the prying eyes of a crawler as a .png file. The dental implant word salad only appears after the dear reader has had all the satire go right over their head and has had their outrage fix anyway.

The Pelosi story was copied from BustaTroll.org and has been debunked by Maarten Schenk of LeadStories.
The number of levels of fakery going of here is truly stunning.

This is the photo, which is the preview image for the story which actually seems to be titled, “Time to out”

The audience who is who is falling for this seems to have very poor reading habits, if they read the articles at all. They seem to share and comment freely, but I never see comments inquiring about the dental text. There are many digital literacy cues that are overlooked in order for these articles to be taken seriously. When Getsmarty.site articles are returned in a Facebook search, some of the dental text and other bits of random weirdness shows up in the captions.

getsmartyarticlesonFB.png

If a person shares a Getsmarty.site article on Facebook, the unusual dental URL of the article may show:

getsmartysharelink.png

Hold on to your teeth because it’s going to continue to get stranger from here.
Let’s look at a Getsmarty.site share into a group, the Diamond and Silk Fan Page.
Note: despite the name, this is not a page, it’s a group.

getsmartydiamondandsilksmallest

Just to cut down on the number of screenshots I have to make, in the above screenshot I have pointed out how a person can look to see the administration team of their group.
I have to do this because it seems many people don’t know how.

This group has 88,717 members and 9 administrators.
What I want to know is: Why, out of 88,717 people, more people haven’t looked at this and seen a problem?
I don’t have a problem with people named Muhammad or people who don’t have their language set to English… but when your group is based on American politics, considering the current climate and well publicized issues of foreign interference- I would think that some people inside this group would notice something was off and raise the alarm.

getsmartydiamondandsilkadmins

Maybe you noticed that the Muhammad Adnan Farooqi who made the post doesn’t have the same profile picture as the one in the administration. Well. There are a bunch of them. There were seven, but Facebook deleted two of them sometime in the past month. Then I found another one last night. Now there are at least six.

It is always so annoying to me when Facebook is so close to something big and it slips right past.

maf1maf2maf3maf5maf4maf6

Now that we know who the group administrators are, maybe we can do a better job of recognizing when they put posts into the group. Maybe.

viraltictocZahida

Are you kidding me!… I’m sitting here trying to figure out how I am going to wrap this up with the big reveal…and Zahida here has to share a link to Viraltiktok.com… this is brand new! When I had last looked Techspros.com was the network’s old website and Getsmarty was the new and active one. It looks like Getsmarty may be aging out so they have introduced Viraltiktok.com to keep things fresh… let’s see what is going on.

viraltictoceyeads
Oh my eyes. Can you read this? The design and concept are identical to Getsmarty.site. except now the URL is talking about lasik eye surgery. The political outrage article is a photo of text and the medical word salad follows just like at Getsmarty.
The Viraltiktok article is tagged: eye surgery, eye surgery cost, lasik eye surgery and you can see it has successfully scooped up some vision advertising.

“Eye treatment would be now not easy and also treatment an when it goes to surgery it enough to enable the specialist to securely make a clean corneal fold of fitting profundity.
Are influenced by one of the normal kinds of vision issues or refractive mistake and they are doing some the things that not easy and nearsightedness (partial blindness), astigmatism (obscured vision brought about by a sporadic formed and can nothing be done easily and nothing be done frequently effortless methodology,in cases and eye treatment and for most of patients, the medical procedure improves vision and decreases the requirement for restorative Nonetheless.”

HiddenTagssmaller

I’m including Facebooking basics here because people either don’t know how to do this stuff or don’t believe that it is important. I guess there is a sense of safety in numbers, that when you are in a group with 88,717 members, you trust that if something was up, people would be talking about it. But clearly that’s not the case.

If you notice someone posting website links or memes from pages, try searching the group for their name an see if their behavior seems unnatural. Of course people who own pages will promote them, but if they use fake profiles to do it- that is deceptive astroturfing or spam.

getsmartydiamondandsilkzahida

You can search the group for the website or page name and see who else shares it.

getsmartyseeder.png

Sharmeen is a new to me. I started a spreadsheet on this network on March 14, 2019 and listed all the profiles who were admins of groups, managers of pages and seeders of links. There are about 80 profiles involved. I didn’t see Sharmeen until today.

When I visit Sharmeen’s profile home… I notice something. Do you see it?
Sharmeen Maqbool is operating an account that was stolen from an American woman.
This isn’t the only one of these I have found, one of the Muhammad Adnan Farooqi accounts was also stolen from an American. Other accounts have mismatched names with the profile URL and may have been stolen from people in other countries.

sharmeentiffanyprofile.png

This “Sharmeen” account is using a hijacked American profile to seed both memes and links into the group. How do you feel about a foreign player using a stolen American account to put such volatile divisive content into the American traffic stream through a Diamond and Silk Fan group?

If they would steal American profiles to game the system… what else would they do?
Well… this is a little tricky, it’s so strange how Facebook gives different information depending on what country you are in, or how you are viewing the page (like I would never be able to see the URL on Sharmeen’s account from my phone unless I copied the profile link and pasted it somewhere- and yes- I do that all the time!) the act of copying the profile link does not show the link to me from the mobile Facebook app- it just says “Profile Link Copied”

OK, so here is another inconsistency. Earlier we got a view of the administration of the Diamond and Silk Fan Page- that was a screenshot of my desktop view. The mobile app format isn’t much different… but if I view the admin page of the group while logged into Facebook from a MOBILE WEB BROWSER… there is some critical information included!

getsmartydiamondandsilkadminsDATES

In this version of the Admin roster, we can see how long these profiles have been administrators of this group. The group was founded on February 3, 2018 but it is clear that no one from the group’s founding or first year running is still running the group.
How did these Pakistani profiles get control of an American group with amost 100,000 members? Where are the original admins and how did no one notice when this takeover happened?

In part two we’ll look at the pages and groups this network is using to play American outrage traffic.

Cover photo by Samuel Zeller

The DeepRabbitHole

The DeepRabbitHole
Photo by Tony Stoddard

If you arrived here by a link, You can read part of this investigation here.

Over the couple of years that I have been sniffing around in this field of tricky players I have worked hard to learn some OSINT techniques. (OSINT = Open Source Intelligence.) That means finding the information that is publicly available, but maybe hidden in plain sight where no one has looked. While technical skills would be an advantage, my strong points are curiosity and observation. My approach is like Colombo crossed with McGyver.

My mission is to share media literacy information so people can be better equipped when they encounter things like romance scammers, foreign actors and disinformation. When I named my page “Exploiting the Niche” I thought that the term was a common phrase, like “Pushing the Envelope” or “Toeing the line”. It turns out it’s not common enough for me to have assumed. Many people aren’t familiar with how a marketing motivational speaker might use the phrase “Exploiting the Niche” without the slightest sense that maybe that doesn’t make them sound so nice. I thought it was clear that I was going to be talking about people who are doing that, and not that I was doing it myself. WhiteWolfPack is a classic example of someone who is determined to hit a very specific niche market and doesn’t care who they exploit along the way.

It has been a few years since I tried to find the identity of the owner of the WhiteWolfPack website. (Spoiler: I still haven’t) I wondered if maybe I would see something I had missed if I revisited it again since dead-ending back in 2016. One place that I find really helpful to look for information is in comments. Lots of times people have some inside information or context that helps with an investigation. Searching on both Facebook and Twitter I was really excited to see a rumor repeated more than once about a person who was believed to be the owner of WhiteWolfPack. I was excited to think that maybe after all this time, the mystery had been solved. There was even a youtube video linked. As I watched the video my sense of “victory at last” began to fade. I didn’t believe that this woman was associated with the website. When I inquired about how this connection was made, I couldn’t get any answers.

The accused has a wolf sanctuary and spiritual retreat in Arizona. What she is doing with sweat lodge and drum ceremony and all the animal magic of the supernaturally therapeutic wolves… that is a whole ‘nuther rabbithole that is waaaaay outside my lane and scope of my expertise. I’m interested in internet frauds and media literacy. If someone has a physical presence circulating around (in this dimension or another) and is shaking hands with the people who are buying her shtick… I’m out. That’s for tribal members to speak on, not me.

So that leaves me with a balancing act of wanting to explain enough about what I see to rule her out as the owner of WhiteWolfPack, but to not derail this whole blogpost with her specifics. I do want to make it clear that my intent in ruling her out has to do with not coming to the wrong conclusion about WhiteWolfPack, it is not a defense of a white person appropriating sacred ceremony.

Here is what I think happened.

icannWhoIs Domain Registry Search for WhiteWolfPack.com

Look carefully, Do you see it?

Recently I helped out a person who was sure they had found fake news coming from Panama. In that case I understood right away what had happened. It was likely that a publisher from anywhere around the world was using WhoisGuard, one of the largest domain registry services to protect their privacy/identity. A service that acts as a go-between used their address in Panama to register websites for a fee.

I’ll confess it took a full day for this one to dawn on me because the mystical prattle coming from that wolf lady’s Youtube had me so disoriented. What I think happened is that some well meaning person tried to search for information on WhiteWolfPack.com and they saw these results. Not understanding that this Scottsdale Arizona address is the DomainsbyProxy business address and that it’s tied to more than one out of ten websites with a top level domain. That investigator got headed on the wrong track thinking that the owner of WhiteWolfPack is in Arizona. This wolf sanctuary lady was a perfect character who could fit the MO of a person who has enveloped themselves with all the trappings of the Native world, but who appropriates with wanton disregard for the people they hurt along the way….that, and… wolves. I can understand how this could have happened.


Here are some points of disconnect:

  • The sanctuary’s website has a very dated style… you almost expect a midi theme song to play in the background , while WhiteWolfPack’s design has a different aesthetic.
  • The sanctuary’s website is very transparent in the historic domain registry details, something that the WhiteWolf master of secrecy would never allow.
  • The sanctuary page has only FIFTY SIX fans. The automatically generated Facebook page for the sanctuary has 309 likes (people are checking in and sharing pictures from their visit) . The page manager appears in photographs with the wolves and the wolf lady. The page manager is not a false identity, she’s a very real person with connections to the sanctuary. There are scores of photos posted by the public and videos of the wolf lady on youtube, uploaded from multiple sources.
    The White Wolf Facebook page on the other hand, has 443,851 likes and no human faces or names associated with it.
  • The White Wolves of the cover photos of WhiteWolfPack.com are not the resident wolves at the Arizona sanctuary. After watching that woman talk about her wolves and their spiritual healing powers, I can’t imagine that she would ever have the restraint to not highlight those individuals as mystical celebrities at the WhiteWolfPack website if she owned it.
  • This part that really does it for me: The spring thaw in Arizona apparently has caused a lot of flood damage at the sanctuary. They have put out a call for donations on their tiny page. Even if this fund-drive were a con, if you were trying to get donations… and you owned a page with almost half a million likes… wouldn’t you use it? They wouldn’t even need to blow their cover, if they owned WhiteWolfPack.com- They could slip in a story about the sanctuary’s needs in the third person and act as if they were just doing something nice to help wolves. If you had no scruples and had access to an audience half a million strong wouldn’t you target them instead of reaching out to an audience of 56?

OSINT technique for websites with private domains:
Sometimes the Google AdSense or Google analytics codes embedded in the HTML of the webpages themselves will show behind the scenes links between websites.

Step one: right click on the homepage of the website.
Choose “View Page Source” from the menu. (I wish that would cut this whole thing short and pop up a picture of the person doing this, but sadly the page source they mean is HTML code.)

This will cause your computer screen to look
A: Really cool… or
B: Absolutely terrifying
(that’s up to you!)

The shortcut for “find on screen” is CTRL F (hold the Ctrl key as you press F)
that will open a little window where you can type in what you are looking for. Then use the arrows to quickly jump up or down through the HTML document. You will see your search results highlighted.
“ca-pub” are the letters that will precede the unique numeric Google Adsense ID code.

Are you ready for the big reveal?
Copy the Adsense ID code and take it to the website spyonweb.com

This search is looking for all the websites making money with google ads that Google is paying to this one account.

Now we have three websites showing in the Spyonweb search.
This could get interesting!
The Buffy Sainte-Marie blogspot hasn’t been updated since August of 2015.
The I Love Music Blogue hasn’t been updated since Whitney Houston died in February of 2012. I think the notable thing here is that this blog is presented in French language.
The other thing that has the potential to throw us off is that the profile of the person responsible for the iLoveMusicBlogue is “Buffy”

The location on this profile says Canada, and yes, I know they speak French in Canada too… but I’m going to bet that nothing here is true. I’m going to give her the benefit of the doubt and say these blogs are NOT run by Buffy Sainte-Marie. Rather, this webmaster chose a celebrity’s audience (perhaps they are a fan) to exploit. Just like on the WhiteWolfPack.com website, this mystery plagiarist webmaster was getting news alerts from a wide variety of sources all over the web any time someone wrote about Buffy Sainte-Marie and then they would steal the story and republishing it. Although known as a Canadian Musician, the Wikipedia entry on her amazing life and career says Buffy Sainte-Marie lives in Hawaii and has for a long time.

The Buffyblogue (I’m going to call it that now) has a link to a
(BOGUS) Buffy Sainte-Marie FACEBOOK PAGE
This facebook page has a good sized following of 27,106 page likes.
Although the Buffyblogue has not made a new post since August of 2015- the Facebook page continued to be active up to April of 2018, they were reposting older articles from the Buffyblogue archive, That last Facebook post, the Universal Soldier Video was a blogpost pulled from April of 2011.
I think the WhiteWolfPack webmaster has learned that putting dates on the blog articles is problematic if you plan to recycle them for years. I’d be curious to see when they stopped putting dates on their posts.
There are two more interesting connections…

One: The Buffy Facebook Page Info&Ads shows the page has 3 managers from FRANCE.

Two: CrowdTangle shows that the Buffyblogue has had some very dedicated promotion from a Facebook page that some may already be familiar with!
Aboriginal and Tribal Nation News was the primary amplifier of Buffyblogue posts from 2011-2016.

Let’s take a moment to talk about:
(BOGUS) Aboriginal and Tribal Nation News Facebook Page
This page has 317,935 page fans who have fallen for its legit sounding name AND the great quality relevant and stolen Native journalism that WhiteWolfPack serves up. There is no publication “Aboriginal and Tribal Nation News”, online or elsewhere- and if you scroll down their timeline today, all you will find are links to plagiarized articles from WhiteWolfPack until you eventually come to some links to the Buffyblogue. I don’t have time to do that, so if anyone comes across Tribal Nation News sharing any content that does not cycle directly back to their Google Adsense account- please tell me and I’ll take note.

Get in the habit of checking Page Info&Ads…
Look: Tribal Nation News also has a manager team of 3 from FRANCE.

Just like I requested in part I of this- please let’s crowdsource an effort to notify our friends that this page is not a fraud like WhiteWolfPack… this bogus Native News outlet IS WhiteWolfPack. Go to the community tab on the Aboriginal and Tribal Nation News page page and see if any of your friends are following and send them a message.

Same goes for the White Wolf Facebook page
Get your friends away from it! Let’s not be accidentally amplifying this fraud! Here is a screenshot of White Wolf’s page Info&Ads- showing their page managers in the USA and FRANCE.

Same with the BOGUS Buffy Sainte-Marie page.
Warn your friends if they liked it. Be careful- the WhiteWolfPack owned Buffy Facebook page is older and has a larger following than the
legitimate Buffy Sainte-Marie Facebook page.
Yes, the cheating thief has managed to present a Facebook presence that rivals the real Celebrity! That is an outrage!

When I look at the crowdtangle results for Whitewolfpack.com, most of the amplification is from White Wolf Facebook page and the Aboriginal and Tribal Nation News, and they are returning high because of their large audiences, but there are many other pages who are sharing WhiteWolfPack stuff. These pages should also be notified! Be kind and considerate, but there is a certain point where someone’s refusal to acknowledge the harm of stealing from Native journalists becomes a point where I would draw a line. Pages like: Indigenous Life Movement, Oceti Sakowin Camp, Sacred Stone Camp, International Indigenous Youth Council, Standing Rock NoDAPL Image Bank, Wolf Mountain Sanctuary, Walking the Red Road, Frack Free Four Corners, World Indigenous News (WIN)… on and on, there are so many.

Be thorough! Lots of times it’s the small or old projects that have the best OSINT clues. Just in case you might be wondering if I forgot, I didn’t get anything else here, but I did check CrowdTangle to see if anyone was amplifying the IloveMusicBlogue. Nope.

One Note about the Legit Buffy Sainte-Marie facebook page. I am not 100% sure that it belongs to the real Artist… but I have 0% doubt. There is a small amount of merchandising, but hey… that’s fine, even the President of the United States does it. Her posts share a wide variety of sources and she doesn’t steal their content, she amplifies the posts of others- that’s how it is supposed to be done! She also is posting a lot about her recently released authorized biography both on her Blue Check Verified Twitter and her Facebook page and the branding of the social accounts matches. (yes that can be faked by an impostor, but I don’t think that’s all all in question here)

In the end, I think this is going to depend on the supporting structures that this thief uses to do their thing stepping up and doing the right thing. Typically it’s only the authors themselves who have the power to complain, and because WhiteWolfPack spreads their thieving between so many people who may not be in communication with each other, they haven’t pulled together as a unified front.
Facebook
Twitter
Google Adsense
Blogger (also owned by Google)
GoDaddy
Domains by Proxy (owned by GoDaddy)
They all support this anonymous serial plagiarist. It is absurd that, as seen in this 2 minute video presented by Google a steady stream of content creators each has to learn the complex paths and hoops to jump through just to request that their work not be presented to another audience without their permission… why is this allowed to continue for YEARS?

– The End –

With a hat tip to one of my favorite podcasts, If/Then from Slate
I am going to wrap this up and close a whole bunch of tabs… but I’ll leave a few odd and ends here:

This is a nice website that shows the spectrum of plagiarism with graphics and an uncanny block of text. I’m half tempted to see if they took it from WhiteWolfPack.

White Wolf’s Twitter …huh… the last post was on April 21, 2018
That is the exact time that the Buffy Sainte-Marie FB page stopped posting!!! What on Earth happened?

CuteStat report on Whitewolfpack.com

A Canadian senator gets tangled in it on Twitter with a 2018 share of a story written in 2004 and published by WhiteWolfPack on “Wednesday” from here on out. The plagiarism rehash makes the original author look bad too.