- The campaign is being carried out by a group by the same name.
- Threat actors are using a special set of shortened tracking URLs to record clicks on the reports.
Researchers have come across a fake news campaign that is being used to misinform users about terror attacks. Dubbed as ‘Fishwrap’, the campaign has been found to be carried out by a group by the same name.
What’s the matter?
Uncovered by Recorded Future, the campaign recycles old news stories on terror attacks and republishes them - as if they are new - social media platforms. The campaign was discovered while monitoring social media platforms for reports of terror attacks. During the investigation, it was found that a network of more than 200 accounts was talking about attacks that were not reported on any news site.
It is believed that this misinformation is a part of the campaign’s influence operation. Influence operations aim to change public opinion of users through social media posts.
Another interesting fact
The ‘Fishwrap campaign is also using a special set of shortened tracking URLs to record clicks on the reports. All these URL shorteners have been found running on an anonymous Azure service.
“The URL-shortened link in the post led us to an article about the original event from November 13, 2015. While many readers would probably not scrutinize the publication dates, it is easy to see how the post could cause concern for those reading it and prompt them to follow the link to validate the news, missing the difference in publication date,” said the researchers.
How old is the operation?
The researchers believe that the operation has been going on for close to a year.
“The fact that the operation has been going on for close to a year, and that it is spending money on numerous domains on dedicated servers, leads us to believe this is not just someone running the operation ‘for the lulz,’ but rather, a political organization or nation-state with an intent to spread fear and uncertainty and track followers of the posted links,” researchers added.
Two clusters of accounts belonging to a pack of 215 users have emerged during the investigation. While one cluster was active between May and October 2018, the other cluster had come into action from November 2018 to April 2019.