Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Report Links Vast Online Disinformation Campaign to Iran

When an attractive young Middle Eastern woman contacted Saudi dissident Ali AlAhmed over Twitter last November, he was immediately suspicious.

When an attractive young Middle Eastern woman contacted Saudi dissident Ali AlAhmed over Twitter last November, he was immediately suspicious.

The Associated Press was on the verge of publishing a story about how AlAhmed, who is based in the Washington area, had been targeted by hackers posing as a female journalist. Now, just two days before the article was set to go live, another young woman had sidled up to him over the internet, trying to entice him to read an article and share it online.

“They will never stop,” AlAhmed wrote in a Nov. 6 message to the AP. “They think a hot girl can lure me.”

The AP flagged the exchange to Canadian internet watchdog Citizen Lab, which was already helping AlAhmed deal with the hackers. Citizen Lab quickly determined that the Twitter account, purportedly belonging to an Egyptian writer named Mona A.Rahman , was part of a separate operation. In fact, she wasn’t even trying to hack AlAhmed — she was trying to enlist him in an ambitious global disinformation effort linked to Tehran.

In a report published Tuesday, Citizen Lab said A.Rahman was but a small piece of a yearsold, multilingual campaign aimed at seeding anti-Saudi, anti-Israel and anti-American stories across the internet. Citizen Lab, which is based at the University of Toronto’s Munk School, said it believes “with moderate confidence” that the operation is aligned with Iran. The campaign is another indication of how online disinformation is being tested by countries well beyond Russia, whose interference into the 2016 U.S. presidential election was laid out in vivid detail in special prosecutor Robert Mueller’s report .

“What this shows is that more and more parties are entering the disinformation game,” said John Scott-Railton, a Citizen Lab researcher, “and they’re constantly learning.”

In London, Iranian Embassy press secretary Mohammad Mohammadi denied that his government had anything to do with digital disinformation, saying that Iran was “the biggest victim” of such campaigns and had called for international regulations to curb them. He referred further questions to the Iran’s Communications Ministry, whose press contact did not answer calls after hours on Monday.

Scott-Railton and his colleagues ended up identifying 135 fake articles that were published as part of the campaign, which they dubbed “Endless Mayfly” because, like the short-lived insect, the bogus stories tended to disappear soon after they began to spread.

Advertisement. Scroll to continue reading.

The article A.Rahman was trying to get AlAhmed to share — a claim that Israel’s then-defense minister, Avigdor Lieberman, had been fired for being a Russian spy — was typical: The article had startling news, it was hosted on a fake version of a Harvard University website and had a host of spelling and grammatical mistakes. Articles shared by other fake personas followed a similar pattern. They made inflammatory claims about Israel, Saudi Arabia and the United States presented on lookalike versions of respected news sites.

“Ivanka Trump says its unbelievable that women cannot drive in saudi arabia,” said one article posted to a site dressed up to look Foreign Policy magazine. “Saudi Arabia funds the US Mexico border Wall,” said another, hosted on a site imitating The Atlantic.

The campaign seems to have been largely ineffectual — Scott-Railton noted that “most of their stories got almost no organic buzz” — but a couple did break through.

In March 2017 a fake Belgian newspaper article claiming that then-French presidential candidate Emmanuel Macron’s campaign was being one-third funded by Saudi money was widely shared in French ultra-nationalist circles, including by Marion Marechal, the granddaughter of French far-right leader Jean-Marie Le Pen. A few months later another site mimicking a Swiss publication tricked the Reuters news agency and other outlets into publishing a false report that Saudi Arabia had written a letter to FIFA, soccer’s governing body, demanding that archrival Qatar be barred from hosting the 2012 World Cup. The report was later withdrawn .

Citizen Lab said it first got wind of the suspected Iranian disinformation campaign when a British web developer debunked one of the fake articles on Reddit two years ago. The developer pointed out that the story — which suggested that British Prime Minister Theresa May was “dancing to the tune” of Saudi Arabia — had been published on a website using the URL “indepnedent,” imitating the legitimate British news site, The Independent, and was linked to a network of other suspicious sites, including “bloomberq,” a clone of the news agency Bloomberg. A third site, “daylisabah,” was a fake version of the Turkish publication Daily Sabah.

“Did we just get an insight into a fake news operation?” the developer asked at the time.

Citizen Lab confirmed his hunch, later connecting the sites to an incident in which another Twitter user, Bina Melamed, tried to persuade Israeli journalists to share the same fake Harvard article that AlAhmed received.

When one of the reporters privately confronted Melamed about why she was pushing nonsense, the answer was unusually straightforward.

“I like challenging and controversial stories,” Melamed said. “Sometimes they are fake and sometimes they are not.”

Melamed changed her account’s name shortly thereafter. The account has since been suspended by Twitter. Many other social media personas mentioned in Citizen Lab’s report — such as A.Rahman — have also been shut down. But messages left with a handful of surviving accounts — sent via Twitter and Reddit — elicited no response. Emails sent to half a dozen addresses used to register several bogus websites — including bloomberq, daylisabah, foriegnpolicy, theatlatnic and indepnedent — either weren’t returned or bounced back as undeliverable.

AlAhmed said he was intrigued to hear that A.Rahman had been tied to the Iranian government. Despite knowing from the start that the whole thing was a charade, AlAhmed struck a wistful note in a recent interview about his interactions with the attractive-looking A.Rahman. At one point, she had written to him inviting him to stay at an apartment she claimed to have in London.

“A small part of me thought, ‘I hope this is real,’” AlAhmed said.

He quickly made clear that he was kidding.

“I told my wife,” he said.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.