Fake accounts and fake news outlets that churn out conspiracy theories and snake-oil medical advice are doing what opportunistic shills always do: talking about what everyone else is talking about as they seek to mislead people into falling for phishing, other scams, or public-opinion influence operations.
Of course, the crisis they’re now leveraging is the COVID-19 pandemic.
On Tuesday, when Facebook released its third Coordinated Inauthentic Behavior (CIB) report, it said that every one of the eight networks it took down in April were created before the COVID-19 pandemic began. Before the gravity of the pandemic was understood worldwide, the threat actors were already doing their policy-violating work of ripping people off, spreading conspiracy theories or trying to influence political discourse. But once the disease settled into its place as the world’s foremost worry, the people behind the campaigns all pivoted to jump on the coronavirus bandwagon:
… opportunistically [using] coronavirus-related posts among many other topics to build an audience and drive people to their pages or off-platform sites.
Most of the networks Facebook took down last month were still trying to grow their audience or had a large portion of phony engagement on their pages – engagement that came from the networks’ own, fake accounts.
Nathaniel Gleicher, head of security policy at Facebook, said it’s all par for the course when it comes to exploiting the headlines:
We have seen threat actors leverage the coronavirus pandemic and discussion about the coronavirus pandemic in the same way that we’ve seen threat actors leverage other types of major events around the world.
One crisis that comes to mind was the Japanese earthquake and tsunami of 2011 – a horrific tragedy that scammers exploited with fake charity scams, spam that led to malware, and a clickjack scam about a whale getting tossed into a building.
In other words, it’s fake news, circa Year of COVID-19.
Takedowns
Last month, Facebook pulled down a total of 1,887 misleading accounts, pages and groups which it traced to eight networks. It says that two of the networks – from Russia and Iran – were coordinating their inauthentic behavior on behalf of a foreign or government actor. The remaining six networks – in the US, Georgia, Myanmar and Mauritania – were targeted at domestic audiences in their respective countries.
Facebook is constantly taking action against inauthentic behavior, including fake engagement, spam and artificial amplification. The report about CIB, however, is focused specifically on influence operations: what Facebook describes as “coordinated efforts to manipulate public debate for a strategic goal where fake accounts are central to the operation.”
In April, the platform took down a total of 732 Facebook accounts, 162 accounts on its Instagram platform, 793 pages, and 200 groups.
Biggest network: Georgia
The biggest network Facebook took down last month was one based in Georgia that’s linked to a media firm called Espersona. The platform removed 511 pages, 101 Facebook accounts, 122 groups, and 56 Instagram accounts linked to the network, which focused on domestic activity.
Facebook also removed a smaller network based in Georgia: one that consisted of 23 Facebook accounts, 80 pages, 41 groups, and 9 Instagram accounts. It linked this smaller network to individuals associated with United National Movement, a political party.
@AtlanticCouncil’s Digital Forensic Research Lab (@DFRLab) – a network of digital forensic analysts working to combat disinformation – has been tracking the Espersona network for a while. DFRLab says that accounts/pages/groups in Espersona’s coordinated network have impersonated Georgian health authorities and political opposition members and have tried to discredit pro-democracy activists and members of opposition parties.
Facebook says that people running the network also ran pages designed to look like user profiles—using phony names and stock profile images—to post and amplify their content, as well as to evade detection and removal. Some of their pages posed as independent news outlets to post content about domestic news and political issues such as elections, government policies and officials, as well as to criticize the opposition, journalists and local activists.
Most recently, the Espersona network shared content about COVID-19, including posts that violated Facebook’s policies against harmful health misinformation. In February, the company banned coronavirus miracle cure ads, including those that falsely, and dangerously, claimed that drinking bleach is a cure.
Facebook says that it found the Georgian network as part of an earlier investigation into suspected CIB that had been publicly reported by a local fact-checking organization in Georgia. The platform says that the Espersona network it took down in April has links to a Georgia-based network it took down in December 2019. It has now banned Espersona from its platforms.
Before it was booted from the platform, one of the network’s posts showed Georgia’s Prime Minister, Giorgi Gakharia, standing in front of a yellow-and-black image that says “Kill Corona Volume 1.” Fans of writer/director Quentin Tarantino will recognize it as a reference to his “Kill Bill” film series.
US: Anti-immigration and conspiracy theories
Facebook took down a smaller network in the US that it linked to anti-immigration sites. It removed 19 pages, 15 Facebook accounts, and 1 group that originated in the US and focused domestically. The platform’s investigation linked the network to VDARE, a website known for posting anti-immigration content, and to individuals associated with a similar website, The Unz Review.
It also ousted a US network – consisting of 5 pages, 20 Facebook accounts, and 6 groups – that it linked with the QAnon network. According to AP, QAnon is a conspiracy theory “centered on the baseless belief that Trump is waging a secret campaign against enemies in the ‘deep state’ and a child sex trafficking ring run by satanic pedophiles and cannibals.”
Facebook provided this sample of a QAnon post, which purportedly links to a video about the origins of COVID-19 that “Media Isn’t Showing.”
These insincere operators work every angle
All of these coordinated networks of accounts originally had different goals unrelated to the coronavirus, Gleitcher said. Coronavirus is just another tool they’re using to further those goals:
If you’re trying to build an audience, then you would want to use messages from the topic that everyone’s already talking about, which is coronavirus right now.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.