| | | Russian trolls pumped out malware along with pro-Trump messages. Venezuelans helped
BY KEVIN G. HALL
APRIL 02, 2019 11:39 AM, UPDATED 2 HOURS 49 MINUTES AGO
This screen shot of a Tweet from early 2017 shows how domains registered in Venezuela were sending around content considered politically divisive in the United States. Links displayed on so-called click bait tweets sometimes spread malware.
WASHINGTONTwitter accounts linked to a Russian troll farm charged by Special Counsel Robert Mueller III did more than pump out pro-Trump messages during the 2016 presidential election. In a previously undisclosed wrinkle, some also preyed on unsuspecting Trump supporters by targeting them with malware, a McClatchy investigation has found.
These Twitter accounts tweeted content that carried revenue-generating link shorteners, to either periodically spread malware or redirect to unrelated topics. Some were launched from websites registered to young people scattered across far-flung corners of Venezuela.
“How much do you get paid to spread MALWARE ... by taking advantage of Trump supporters???” a Trump supporter in Florida who goes by the handle @misstozak asked in a tweet on Oct. 27, 2016, shortly before the election, in which she complained about the URL-shortened links later found by McClatchy to have been retweeted by Russian accounts.
Shortened links are commonly used to avoid having to copy a large string of information into an email, text or tweet. In an interview, the woman behind the handle @misstozak expressed frustration that political activists like herself were toyed with by unknown actors using shortened URLs — the addresses of given websites.
Unlimited Digital Access: Only $0.99 For Your First MonthGet full access to Miami Herald content across all your devices.
SAVE NOW #READLOCAL
“It made me feel really taken advantage of,” said Janet Cucharo, an avowed Tea Party supporter and owner of The Book Store, which operates out of the Market of Marion, a large flea market near Ocala.
In August 2016 and well into the following year, Cucharo, who calls herself The Book Goddess, took to calling out the Trump-themed Twitter accounts that were spreading the malware to unsuspecting Trump followers.
Malware is designed to compromise the functions of a computer. Some types are relatively benign, such as annoying pop-up ads, while other types steal data, spread viruses and even spy on a user or give a faraway hacker control of the computer.
An ongoing investigation by McClatchy shows that at least 163 Twitter accounts that appear related to each other were involved in pushing out pro-Trump tweets during the 2016 elections that contained specially crafted link-shortened web addresses, also known as shortened URLs.
The investigation found a number of these Twitter accounts were tweeting out links that were hosted on servers operated by clients of Webzilla, a Cyprus-based provider of IT infrastructure with a presence in South Florida. Webzilla’s parent, XBT Holding, was named in the controversial dossier that helped trigger Mueller’s two-year probe.
 THE Book Goddess@misstozak
@AmericanNews200 How much do you get paid to spread MALWARE through t.co links by taking advantage of Trump supporters???
4:53 PM - Oct 27, 2016 · Florida, USA
Twitter Ads info and privacy
See THE Book Goddess's other Tweets
McClatchy searched links embedded in tweets from Russian Twitter accounts and cross-checked them against a public-use database created by NBC News. This database includes more than 200,000 tweets that Twitter itself has connected to “malicious activity” from Russian-tied accounts during the 2016 U.S. elections.
Among the ones found to be tied in 2016 and early 2017 to a managed data center operated in Amsterdam by Webzilla are domains and related subdomains such as dnoticie.es.kabch.xyz, viid.me, donaldtrumpnews.co.vu and USA.Trumpnewss.com. (Domains are the formal name of a website’s registered Internet address.)
At least 108 of these Twitter accounts that had been using links hosted by a Webzilla client called Red Sky have already been suspended by Twitter, according to McClatchy’s analysis and responses from Twitter searches, some of which said the account had been suspended. Another 55 of them were still live as of March 12 — some active and others inactive. There’s no evidence that Webzilla knew of malware-infested links and the company has said it can no more be cited for misuse of its servers than the phone company can be blamed for someone making crank calls.
This data, independently reviewed by multiple experts who said it appears accurate, came originally as a tip from a security researcher, who shared the information after reading earlier McClatchy reports about Webzilla and its parent company, XBT.
Those companies made international headlines when online news site BuzzFeed published the so-called Steele Dossier in January 2017. They’ve also been the subject of McClatchy investigations.
The dossier was compiled by former British spy Christopher Steele, and it contained the unverified assertion that XBT and its affiliates were “using botnets and porn traffic to transmit viruses, plant bugs, steal data and conduct ‘altering operations’ against Democratic Party leadership” in the 2016 election. XBT brought a defamation suit against BuzzFeed in Miami, tossed out last December. Documents associated with the case are in the process of being released.
THE Book Goddess@misstozak
@Vnzla4Trump Are you aware that all of your links go to t.co which contains MALWARE?
1
1:32 PM - Sep 2, 2016 · Florida, USA
Twitter Ads info and privacy
See THE Book Goddess's other Tweets
Special Counsel Mueller’s two-year investigation led to charges brought in the United States against the Russia-based Internet Research Agency (IRA), identified by U.S. intelligence and national security officials as a Russian state company designed to meddle in foreign countries to advance Russian foreign policy objectives.
Of the Twitter accounts identified by McClatchy’s investigation, 24 suspended accounts were directly tied by Twitter to the IRA’s meddling efforts. These accounts were identified in a data dump by Twitter amid post-election probes of Russian election meddling. Ten additional suspended Russian-linked accounts were potentially tied to the IRA meddling operations. These appear in a second data release by Twitter that refers to them only as Russian propaganda accounts.
These combined 34 Russia-linked accounts either tweeted or retweeted one of the URL shorteners offered by the Webzilla client. Another 103 accounts appear in at least one of the two Twitter data dumps and are the originators of the tweets that were in turn retweeted by a known IRA account.
XBT said in a statement to McClatchy that it was unaware that any of the IRA-linked Twitter traffic moved across its platform via a client.
Unlike China and Russia, the United States opts for an open internet, and this has been exploited by U.S. adversaries and cybercriminals alike. The lines between state actors and cybercriminals is blurry.
“I spend a lot of time looking at bad actors on the internet, and unfortunately it isn’t all that hard to find them, because there are a lot more of these than most people realize,” said Ron F. Guilmette, a veteran security researcher. “But the vast majority of these are perfectly ordinary crooks with perfectly ordinary motives — money.”
miamiherald.com |
|
