Disinformation is nothing new. It is a form of propaganda used throughout history to create, or bolster a politically motivated narrative. It has been used to serve the goals of almost every national and society in human history, from the well documented propaganda of oppressive regimes, to the uncomfortably-close-to-home activity of the Brexit campaign and Donald Trump’s presidency.
But if once upon a time disinformation campaigns were the preserve of governments and governments alone, the advent of the internet has now modified the media landscape permanently. When the news was disseminated through much narrower channels – newspapers and state broadcasters for example – only those with access or influence over these institutions could hope to influence the news agenda with untruths.
In today’s age however, the sources where individuals can access their news are significantly wider, and if information has been democratized, so has disinformation. Traditional media is now competing with the unregulated wilderness of social media, and the partisan interests of new pressure groups.
The Covid-19 crisis threw this problem into the spotlight.
The ‘reopen’ campaign: A masterclass in deception
An example of how disinformation can work in the modern online ecosystem can be found in the ‘reopen’ campaigns which spread across the US in April, calling for an end to the Coronavirus lockdown. At the time, a lockdown had just been imposed in some US states and president Trump was voicing his discontent with a series of tweets asking to ‘LIBERATE’ the democratic led states that were enforcing social distancing measures. Indeed, some skeptical citizens of these states took the streets to protest the lockdown and refused to comply with the policy.
Just as newspapers were reporting on this, the DomainTools research team was tipped off by a Reddit user that there were several ‘reopen’ domains registered on GoDaddy. These campaigns were registered within minutes of each other, leading the research team to suspect that these websites did not represent the organic, grassroots campaigns that those who created them would like us to believe.
Upon further investigation, we concluded that huge swathes of the ‘reopen’ domains were associated with a known lobbyist for the state of Iowa, Aaron Dorr, via the historical SSL certificates associated with these domains, in addition to loosely tied firearm advocacy groups
Mr. Dorr runs a type of advocacy consulting business where he teaches people to run advocacy groups. You will notice there is a striking similarity of the sites’ homepages. Very similar content was also posted on the websites, and Mr. Dorr is often listed as the author of the articles published, confirming the teams’ initial suspicions.
The investigation of historical SSL certificates uncovered the uncomfortable truth: what appeared at a first glance to be a spontaneous grassroots campaign was in fact a coordinated campaign of astroturfing and disinformation serving the interest of a known lobbyist. Where in the past disinformation campaigns needed the mechanisms of state and willing participants to disseminate false claims, today all it takes is one individual with an understanding of domain infrastructure to created what looks like an already active grassroots campaign. This is dangerous as it makes people susceptible to these tendencies even more likely to become indoctrinated – Strength lies in numbers, after all.
The future of disinformation
That people want to influence the news agenda is nothing new. What is new however is the fact that individuals can create what seems like an organic campaigning network, with incredible ease and to a very large degree of professionalism. They can do so aided by website templates provided by services such as Squarespace and WordPress, which allow even complete beginners to create websites that look and feel legitimate, and do not exist in a vacuum.
Visitors ending up on those purpose made websites, created to look like legitimate sources of information, will find that there are hundreds of other sites, in the case of the ‘reopen’ campaign, which are saying the same thing, giving very little indication that one or a few individuals with vested interests lie behind them. In addition to this, there are political campaign services, operating as non-partisan actors who simply help to provide campaign templates for a wide range of pressure and interest groups - These services make it even easier to set up real looking campaigns.
The next logical conclusion of this process is something we have seen explode in the theatre of cybercrime into the disinformation arena: Disinformation-as-a-service. Today’s groups spreading fake news can boost their efforts and amplify their message by purchasing armies of Twitter bots, but we may see this expand more stringently into exploiting domain infrastructure.
Where malware/ransomware-as-a-service (MaaS/RaaS) and phishing-as-a-service have become well establish parts of the cybercrime ecosystem, we might see the same kind-of services becoming available on the dark web in the near future, where malicious actors sell their services to generate organic looking partisan campaigns to affect the news agenda.
Let’s keep on spreading awareness
Given the alarming rate at which disinformation techniques are evolving, it has become more important than ever for individuals to remain vigilant. We are likely to witness a surge in this kind of campaign as the US elections approach in November, and to protect the democratic process it is important to continue to spread awareness on what happens behind the scenes. What might seem to reflect a general sentiment and reporting genuine information may be the work of pressure groups, or even single individuals with strong opinions, an internet connection and a bit of time to spare.
Internet users should check the authenticity of everything they read and should be aware that, online, not is all as it seems. And for security researchers, journalists, and individuals hoping to protect the public from the very real dangers of disinformation – Continue with what you are doing. It is a necessary public service, in this climate more than ever.
Chad Anderson, senior security researcher, DomainTools