An Analyst’s Environment

This week we had a chance to work with an analyst who is new to our environment. The conversation revealed some things we find pedestrian that are exciting to a new person, so we’re going to detail them.

Alerts

Many people use Google’s Alerts, but far fewer are familiar with the service Talkwalker offers. This company offers social media observation tools and their free alerts service seems to be a way to gather cognitive excess, to learn what things might matter to actual humans. These alerts arrive as email, or as an RSS feed, which is a very valuable format.

Feed Reading

Google Reader used to be a good feed reader, but it was canceled some years ago. Alternatives today include Feedly and Inoreader. The first is considered the best for day to day reading activity, while Inoreader gets high marks for archival and automation. The paid version, just $49 per year, will comfortably handle hundreds of feeds, including the RSS output from the above mentioned Talkwalker.

Content Preservation

Talkwalker Alerts never sleep, Inoreader provides all sorts of automation, but how does one preserve some specific aspect of the overall take? We like Hunch.ly for faithful capture. This $129 tool is a Chrome extension that faithfully saves every page visited, it offers ‘selectors’, text strings that are standing queries in an ‘investigation’, which can be exported as a single zip file, which another user can then import. That is an amazingly powerful capability for small groups, who are otherwise typically trying to synchronize with an incomplete, error filled manual process.

Link Analysis

Alerting, feed tracking, and content preservation are important, but the Hunch.ly investigation is the right quantum of information for an individual or a small group. Larger bodies of information where linkages matter are best handled with Maltego Community Edition, which is free. There are transforms (queries) that will pull information from a Hunch.ly case, but the volume of information returned exceeds the CE version’s twelve item limit.

Maltego Classic is $1,000 with a $499 annual maintenance fee. This is well worth the cost for serious investigation work, particularly when there is a need to live share data among multiple analysts.

Costs Of Doing Business

We are extremely fond of FOSS tools, but there are some specialized tasks where it simply makes no sense to try to “roll your own”. This $1,200 kit of tools is a force multiplier for any investigator, dramatically enhancing accuracy and productivity.

Domestic Extremist? Or Something Else?

What does this site say to you at first glance?

patrioticfreedomfighter[.]com
patrioticfreedomfighter[.]com
This is one of nearly two dozen sites pushing fringe right wing views that are all associated with Mark Edward Baker, as detailed in this story by McClatchy. When I first heard of this the initial thought was that something so slippery could be a foreign influence operation. I came to a much different conclusion, but it took many hours of digging.

Here are the full list of domains involved:

1776christian[.]com

americangunnews[.]com

americanlibertyreport[.]com

americanviralheadlines[.]com

christianpatriotdaily[.]com

conservativezone[.]com

factsnotmemes[.]com

financialmorningdigest[.]com

firearmdaily[.]com

freedomnewsreport[.]com

frontpagepatriot[.]com

healthiervideos[.]com

liberalliedetector[.]com

libertyplanet[.]com

libertyvideonews[.]com

memesorfacts[.]com

nationalgunnetwork[.]com

patrioticfreedomfighter[.]com

patrioticviralnews[.]com

readytofirenews[.]com

uspoliticsandnews[.]com

wealthauthority[.]com

The physical plant for this is a circus – 434 unique IP addresses and they all seem to be tied to the operation.

Mark Edward Baker Internet Footprint
Mark Edward Baker Internet Footprint

A simpler exam of the SOA for each domain yielded a deeper clue in the form of the [email protected] address used for registration. It’s connected to another cluster of domains.

gomarkb@gmail.com domains
[email protected] domains

We are not going to revisit the merry chase this guy provides – fire up hunch.ly and go at it. He uses the alias Mark Bentley, be on the lookout for LOP, which is short of League of Power, and his wife Jennifer is a signatory on some of the paperwork. He has at least half a dozen PO boxes in Florida and a similar setup in Reno, Nevada, which appears to he his origin. Once I was sure I had a real name, I was more interested in what his business model is and if there were any foreign ties.

If you poke around for League of Power you’ll find complaints about his $27 scam work from home DVD. This guy’s ideology is getting other people’s money and providing little to nothing in return. This is pretty common to see on both sides of the aisle – grifters working the earnest, but naive masses. This guy clearly focuses on the right – different skills are needed to run a similar game against the left.

Here is the one image that more or less sums up what he is doing:

Mailgun Usage
Mailgun Usage

You would have to be in the business of examining attribution resistant hosting to notice this, but it was like a flashing neon sign for me. Domains that don’t want to be traced typically have no email handling at all. This guy’s business model is list building, which he’ll use for maybe some political stuff, but it will be an ongoing bulk mail target after the election.

 

What about foreign influence being behind this? The article mentions that conservativezone[.]com[.]com had been used. That’s a spearphishing move. It resolves to these geniuses:

conservativezone[.]com[.]com
conservativezone[.]com[.]com
What is AS206349? A dinky autonomous system in Bulgaria with a history of IP address hijacking. Baker got some service from these guys, but it wasn’t anything he wanted to receive. The may have noticed he was gathering lists of the easily duped and decided this would be a good phishing hole for them.

 

People who are way into the bipolar politics in the U.S. tend to judge things as either on their side, or the opposition. There are nuances on that spectrum that get ignored, foreign influence, weird cyberstalker types, and just outright fraud, like we’re seeing here. Don’t jump to sticking a red or blue label on something until you’ve had a good chance to inspect it and conjure up some alternate theories.

SocialLinks: An Actual Investigation

We have a special treat today, an actual investigation and preservation exercise on a Russian company we have had our eye on for the last year. First, to understand why today is their lucky day, peruse this New York Times article:

Here’s the lede from the article for those who refuse to click through:

On the same day Facebook announced that it had carried out its biggest purge yet of American accounts peddling disinformation, the company quietly made another revelation: It had removed 66 accounts, pages and apps linked to Russian firms that build facial recognition software for the Russian government.

This is a good step, but it isn’t the only housecleaning needed.

Available OSINT

If you open the current Maltego client you will see the Transform Hub, a listing of all service providers you can integrate. This is what you see this morning in the left hand column if you open the application on a 4k monitor. Note what is first and what is last.

SocialLinks Offerings In Maltego
SocialLinks Offerings In Maltego Transform Hub

I am the admin for the Maltego Group on LinkedIn. This is a screen shot I collected this morning. Implicit in this is a violation of Facebook terms of service, the source is SocialLinks CEO Alexandr Aleexev.

SocialLinks CEO Alexandr Alexeev Violates Facebook TOS
SocialLinks CEO Alexandr Alexeev Violates Facebook TOS

The company’s YouTube page has a variety of other demonstrations that indicate similar practices on other social media platforms. I snagged a screen shot from the video, which shows what they were doing a year ago.

SocialLinks Social Media Platforms
SocialLinks Social Media Platforms

This alone is enough to set off alarm bells given the current climate. We know a bit more about this company, because I assumed their appearance on the Transform Hub meant they were a quality provider. I spent $130 for a month of service in November of 2017, setting off six weeks of curious encounters, both with them, and disinterested counter-intelligence investigators on three continents.

Our Encounter

Needing to capture some Instagram content for a civil case, I grew weary of chasing threads after I got acquainted with the players, so I went looking for an automation solution that would capture their social network. I had an Instagram account to use from one of the parties to the case, but I assumed it would be burned the minute any evidence from it showed in a filing.

What I received just plain didn’t work. Not with Instagram, not with my personal LinkedIn network, not with Github, which should be fairly open.

SocialLinks Troubles
SocialLinks Troubles

This went on for a while, at first with me sharing details of DNS resolution issues for their servers and other stuff that seemed like normal troubleshooting. When I went to LinkedIn and made contact with CEO Alexandr Alexeev, I was immediately suspicious given his Moscow location.

We had an initial conversation on LinkedIn, below is an example of how things started. We agreed to meet on Wire, and there I was asked about VPNs, provisioning proxies in the U.S., and other means to circumvent access restrictions. I played along, thinking that some counter-intel attention might be forthcoming.

Alexander Alexeev 2018-01-20
Alexander Alexeev 2018-01-20

Counter-intelligence Failures

I felt there was plenty of reason for attention on this situation, but after a month of asking for attention, no fewer than three governments who should have been interested all struck out without so much as a single swing.

  • United States – target of Russian election interference.
  • United Kingdom – target of Russia referendum interference.
  • South Africa – home of Maltego maker Paterva.

I’m not saying that I typed this all into IC3, pressed ‘send’, and crossed my fingers. I had conversations with two people in the U.S. IC community, I talked to James Patrick at Liberty STRATCOM, and I have an associate who has a personal relationship with a brigadier in Hawks, South Africa’s Directorate for Priority Crime Investigation.

There are two ways to interpret this – either the system has already noticed and is working the problem, or the system is utterly overloaded and we are on our own. The fact that I got no response from any of the three countries made me think it was the latter. Having covered my own position, I sat back to see what happened next.

Further Cause To Act

Two months ago I met up with someone who had experiences with Social Links that were very similar to mine. I had already come to believe  I was dealing with someone trying to “handle” me, albeit clumsily, and probably seeking advice from someone else in the process. Talking to this other party hardened that impression. That’s all I am going to say about this.

Removal

As a last ditch effort, I reached out to an FBI Special Agent I know last week. They had the weekend to think it over, Monday to act, and the NYT article is the last piece of stimulus I need.  I just removed Alexeev from the LinkedIn Maltego Group and later today I am going to remove his posts, after announcing why he was removed.

Alexandr Alexeev Removal
Alexandr Alexeev Removal

Preservation & Publication

The particulars of what happened are important so I set out to preserve the details. Here are the steps I took:

  • Started Hunch.ly, preserved forty pages, both public and private. This application preserves content in an admissible fashion.
  • Launched MediaHuman’s YouTube Downloader  just in case they or YouTube decide to wipe their channel.
  • Preserved the @_SocialLinks_ Twitter account for further analysis using both Maltego and our internal tools.
  • Wrapped up the exported Hunch.ly casefile, the Maltego graphs, and the videos, transferred it to a person who will hand carry it to a former U.S. Attorney we employ for certain sorts of touchy situations.

That last bit is just for my protection, given that our President and Attorney General both appear to be compromised by the Russian government. I will not be subject to a raid that deprives me of exculpatory evidence, followed by a politically motivated prosecution.

Conclusion

In the absence of any response from the agencies that ought to handle problems like this, I guess we are in charge for the moment. If you’ve had similar troubles with this company, I advise you to back up everything, transfer it to legal counsel so that it is protected from seizure by attorney client privilege, then reach out to your local FBI field office.

I have shared the particulars with a couple reporters, too. If you have similar experiences and wouldn’t mind being interviewed on this, feel free to contact me.

A Deadpool Of Bots

Yesterday in chat someone pointed out a small set of accounts that followed this Dirty Dozen of known harassment artists.

Dirty Dozen De Jure
Dirty Dozen De Jure

The accounts all had the format <first name><last name><two digits>. We extracted two dozen from the followers of these twelve accounts, then ran their followers and found a total of 112 accessible accounts that had this same format. Suspecting a botnet, we created a mention map to see how they have been spending their time.

112 Bots & Mentions
112 Bots & Mentions

This image is immediately telling for those used to examining mention maps. There are too many communities (denoted by different colors) present for such a small group and the isolated or nearly isolated islands just don’t look like a human interaction pattern.

ICObench Nexus
ICObench Nexus

Adjusting from outbound degree to Eigenvector centrality, it was immediately clear what the focus of this group of accounts was. The next level of zoom in the names revealed two other cryptocurency news sites and a leader in the field as being the targets of the these accounts.

Thinking that 112 was a small number, we extracted their 7,029 unique followers’ IDs and got their names. Nearly 600 matched the first/last/digits format, but there were other similarities as well. We placed all 7,029 in our “slow cooker”, set to capture all of their tweets.

6,897 Bots
6,897 Bots

We were expecting to find signs of a botnet, but it appears the entire set of accounts are part of the same effort. The 6,897 we managed to collect were all created in the same twelve week period. The gap between creation times and the steady production of about eighty accounts per day seems to indicate a small hand run operation in a country with cheap labor.

Hashtags Used
Hashtags Used

The network is transparently focused on cryptocurrency over the long haul. Adjusting the timeframe to the last thirty days moved the keywords around a bit but the word cloud is largely the same. The clue to how these accounts got into the mix is there in the lower right quadrant – #followme and #followback indicate a willingness to engage whomever from the world at large, in addition to their siblings.

Why we have pursued this so far when it looks like just a cryptocurrency botnet is due to this clue.

The Big Clue
The Big Clue

Here are five bad actors with two other accounts created right in between them time wise. This is the most striking example, but there are others like it. And understand the HUMINT that triggered this – a group of people who do nothing but take down racist hate talkers all day feel besieged by a group that manages to immediately regenerate after losing an account.

Our Working Theory

What we think we are seeing here is a pool of low end crypto pump and dump accounts that were either created for or later sold to a ringleader in this radicalized right wing group.

Now that we have roughly 7,000 of them on record, we have to decide what to do. This is just such a blatant example of automation that Twitter might immediately take it down if they notice. The 6.5 million tweets we collected are utterly dull – the prize here is the user profile dataset. We’d need some mods to our software, but maybe we need to collect all the followers for this group of 7,000 and figure out what the actual boundaries of this botnet truly are.

This has been a tiresome encounter for those who make it their business to drive hate speech from Twitter, but this may be the light at the end of the tunnel. If one group is using pools of purchased accounts to put their foot soldiers back in play the minute they get suspended, others are doing this, too. No effort was made to conceal this one from even moderate analysis efforts. If we demonstrate this is a pattern and Twitter is forced to act, we may well find that a lot of the heat will go out of political discourse on that platform.

An Old Investigation Worth Revisiting

There is something new brewing that we telegraphed on Twitter, but it’s going to take a bit to ripen. Between now and then let’s look over an unrelated event that is somewhat similar in spirit. Some of this originally appeared on Liberty STRATCOm as Russian Indictments, American Pinholes. The Internet Research Agency indictment revealed thirteen email addresses associated with Paypal accounts. It is believed that Ricky Pinedo had something to do with their procurement, but we were interested in what could be discerned from them.

Internet Research Agency Paypal Accounts
Internet Research Agency Paypal Accounts

We checked these against RiskIQ and only the first one came back with an associated domain.

DigitalFaceLab registered by wemakeweather@gmail.com
DigitalFaceLab registered by [email protected]

The domain registration was proxied, but unluckily for IRA, I used to live about two miles from this address, which was easily checked. It is a vacant lot between two other homes, and the woman’s name is common.

DigitalFaceLab Bogus Registration
DigitalFaceLab Bogus Registration

Don’t bother chasing DigitalFaceLab[.]com unless you have RiskIQ, it was moved to a Chinese IP after we started probing it, apparently a strategy to shift blame, and that’s not the real story in any event.

If you Googled the domain name when the indictment was relased, there was one hit, in YourDigitalFace[.]com’s front page source code.

YourDigitalFace[.]com unitedvetsofamerica@gmail.com
YourDigitalFace[.]com [email protected]
And the [email protected] account is one of the other Paypal accounts in the indictment. Now we might be on to something …

The domain YourDigitalFace[.]com was originally registered by Scott Orlosk in New Hampshire.

YourDigitalFace[.]com Original Registration
YourDigitalFace[.]com Original Registration
But it’s unclear what happened here. Did Orlosk lose control of the domain? It ends up tied to a Russian registrar, but not until May of 2017, which hardly makes sense given the overall time frame of events.

YourDigitalFace[.]com Expires
YourDigitalFace[.]com Expires
So what might be happening here?

  • RiskIQ is good, but not perfect, it misses things, it finds things later, it updates where and when it can get additional information. Maybe we are missing a key piece.
  • YDF expired, but Orlosk recovered it during a grace period, and may have been involved in developing and running DigitalFaceLab[.]com
  • Some exceedingly clever IRA person used DFL for the 2016 election and just happened to leave this subtle trail of clues to confound analysis.

But we know that IRA scrambled to clean up after the FBI made them – this is admitted in their indictment. Concealment at the theorized level is something we do in operations, we’ve run across similar things in other encounters with Russians, but this just … doesn’t feel like that. It doesn’t seem planned, it seems hasty, after the fact.

There are precisely three weeks to go till the 2018 midterm. This is a fine time to recall that Ricky Pinedo was just sentenced to six months in prison for what he took to be a crime below the threshold that would be pursued. His life will never be the same and everyone who had any transactions with those thirteen accounts has no doubt had some sleepless nights. Pinedo being sentenced means any cases based on his cooperation are going to quickly move to arrests, search warrants, and unsealed indictments becoming available.