You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
mentor20 868410c440
Merge pull request #101 from MassMove/update-facebook-url-extractor
5 months ago
LocalJournals Update reddit posts 5 months ago
LocalNews Add local news stations operated by Sinclair Broadcast Group 3 years ago
Text Messages Update text message count and add expanded Rebrandly link 3 years ago
Twitter Add local readme's 3 years ago
.DS_Store Adding geocoded results for stripped domains 3 years ago
.gitignore Add coords from sites-geocoded.csv 3 years ago
LICENSE Initial commit 3 years ago
README.md Add reddit post monitor 5 months ago
processed.csv changed script to query for Trackers. added processed data 3 years ago
requirements.txt Update requirement for bleach - for security 3 years ago
website-formatter-readme.md added initial script, requirements and the readme 3 years ago
website-formatter.py same False/"False" typo 3 years ago

README.md

Attack Vectors

A repository to monitor attack vectors mentioned in the billion-dollar disinformation campaign to reelect the president in 2020

Local News

Parscale has indicated that he plans to open up a new front in this war: local news. Last year, he said the campaign intends to train “swarms of surrogates” to undermine negative coverage from local TV stations and newspapers. Polls have long found that Americans across the political spectrum trust local news more than national media. If the campaign has its way, that trust will be eroded by November.

Sinclair Broadcast Group, a media company, owns or operates 294 television stations across the United States in 89 markets ranging in size from as large as Washington, D.C. to as small as Ottumwa, Iowa–Kirksville, Missouri.

List of stations owned or operated by Sinclair Broadcast Group

stations.csv

Local Journals

Running parallel to this effort, some conservatives have been experimenting with a scheme to exploit the credibility of local journalism. Over the past few years, hundreds of websites with innocuous-sounding names like the Arizona Monitor and The Kalamazoo Times have begun popping up. At first glance, they look like regular publications, complete with community notices and coverage of schools. But look closer and you’ll find that there are often no mastheads, few if any bylines, and no addresses for local offices. Many of them are organs of Republican lobbying groups; others belong to a mysterious company called Locality Labs, which is run by a conservative activist in Illinois. Readers are given no indication that these sites have political agendas—which is precisely what makes them valuable.

Their stuff looks really real: https://kalamazootimes.com until you start looking at all the articles at once: https://kalamazootimes.com/stories/tag/126-politics

Maps

Some maps to relay the sheer magnitude of the operation with over a thousand domains operating as fake local journals:

QGIS visualization with domain info:

Local Journals Map

Interactive Heat Map:

Interactive Heat Map

Domains

domain twitterFollowers siteName facebookUrl awsOrigin lat lng twitterUsername twitterAccountCreatedAt twitterUserId twitterFollowing twitterTweets
louisianarecord.com 27490 Louisiana Record https://www.facebook.com/LouisianaRecord/ 52.7.148.177 30.9842977 -91.9623327 louisianarecord 2010-10-13T21:58:46.000Z 202364607 23013 20433
wvrecord.com 3991 West Virginia Record https://www.facebook.com/WVRecord 52.7.148.177 38.5976262 -80.4549026 wvrecord 2009-11-19T11:38:43.000Z 91087040 329 11660
legalnewsline.com 1666 Legal Newsline https://www.facebook.com/pages/Legal-Newsline/299588323424419 52.7.148.177 43.6961725 -79.4389309 legalnewsline 2009-11-02T03:30:54.000Z 86864211 559 16089
setexasrecord.com 1136 Southeast Texas Record https://www.facebook.com/SETexasRecord/ 52.7.148.177 30.063191 -94.134436 setexasrecord 2009-11-19T11:37:11.000Z 91086820 1442 15399
cookcountyrecord.com 1114 Cook County Record https://www.facebook.com/cookcountyrecord 52.7.148.177 41.7376587 -87.697554 CookRecord 2013-08-06T19:51:38.000Z 1651123645 408 12065
madisonrecord.com 757 Madison - St. Clair Record https://www.facebook.com/pages/MadisonSt-Clair-Record/164779816968453 52.7.148.177 43.0730517 -89.4012302 madisonrecord 2009-11-19T11:34:47.000Z 91086406 583 13633
lakecountygazette.com 533 Lake County Gazette https://www.facebook.com/Lake-County-Gazette-854479238006224 35.170.88.147 39.0839644 -122.8084496 lakecntygazette 2015-11-17T00:59:16.000Z 4206041674 249 4132
kankakeetimes.com 487 Kankakee Times https://www.facebook.com/kankakeetimes 35.170.88.147 41.1200325 -87.8611531 Kankakee_Times 2015-11-18T13:34:04.000Z 4218254801 244 2257
pennrecord.com 485 Pennsylvania Record https://www.facebook.com/pages/Pennsylvania-Record/338776239487764 52.7.148.177 41.2033216 -77.1945247 pennrecord 2011-05-16T13:28:41.000Z 299652000 219 7867
dupagepolicyjournal.com 444 Dupage Policy Journal https://www.facebook.com/DuPage-Policy-Journal-440850842779072 35.170.88.147 41.8243831 -88.0900762 DupageJournal 2015-01-29T14:45:45.000Z 3001471430 260 5060
1000+ more in sites.csv

Anti-Virus

Twitter Bot

A Twitter bot to monitor and respond to tweets promoting state-backed information operations is at https://github.com/karan/TakeoverBot. It downloads fake local news sites.csv file, searches for mentions of each on Twitter, and replies to them with an informative message.

Reddit Bot

A Reddit bot to inform users when they post a link to one of the local journals: https://github.com/MassMove/AttackVectors/blob/master/LocalJournals/utils/CyberDome/tron.py.

user/cyber_dome_bot

Reddit Post Monitor

A script that lists when domains were last posted to reddit in the last month: https://github.com/MassMove/AttackVectors/tree/master/LocalJournals/utils/RedditPostMonitor.

uBlock Origin Filters

uBlock Origin can be configured to alert us when one of the local journals appears in the wild. Open the configuration dashboard and tab to "My filters" or enter this URL in Chrome: chrome-extension://cjpalhdlnbpafiamejdnhcphjbkeiagm/dashboard.html#1p-filters.html.

||kalamazootimes.com

Get the rest here: https://github.com/MassMove/AttackVectors/blob/master/LocalJournals/sites-ublock-origin-filter.md

Reddit Enhancement Suite

RES can also be configured to alert us... in Appearance, go to Stylesheet Loader and add a row like:

.title[href*="kalamazootimes.com"]:before { content: "PROPAGANDA"; color: white; background-color: red; border: 2px solid #000; }

Get the rest here: https://github.com/MassMove/AttackVectors/blob/master/LocalJournals/sites-reddit-enhancement-suite.md

Methods

The methods used to find more domains are detailed in the pull requests - spme highlights:

https://www.fec.gov/files/legal/murs/7148/19044475209.pdf

Legal Findings

Facebook

Facebook is raking in tens of thousands of dollars from ad campaigns paid for by LGIS (Local Government Information Services) to promote the various local journals:

Twitter

Twitter has suspended most of their accounts: https://twitter.com/DupageJournal

The Election Night disinformation blitz had all the markings of a foreign influence operation. In 2016, [Russian operatives] had worked in similar ways to contaminate U.S. political discourse—posing as Black Lives Matter activists in an attempt to inflame racial divisions, and fanning pro-Trump conspiracy theories. (They even used Facebook to organize rallies, including one for Muslim supporters of Clinton in Washington, D.C., where they got someone to hold up a sign attributing a fictional quote to the candidate: “I think Sharia law will be a powerful new direction of freedom.”)

But when Twitter employees later reviewed the activity surrounding Kentucky’s election, they concluded that the bots were largely based in America—a sign that political operatives here were learning to mimic [foreign tactics].

Potentially state-backed information operations from the Twitter Transparency Report:

Date Country Msg Info Media Accounts Tweets Reports
201906 Catalonia 1.5 MB 2.74 GB 130
201906 Iran 316 MB 258 GB 1,666
201906 Iran 318 MB 183 GB 248
201906 Iran 46 MB 55 GB 2,865
201906 Russia 260 KB 72 MB 4
201906 Venezuela 64 MB 24 GB 33
201906 China 158 MB 85 GB 744
201906 China 169 MB 40 GB 196
201906 China 913 MB 604 GB 4,301
201910 Saudi Arabia 4.3 GB 1.3 TB 5,929
202003 Ghana / Nigeria 27 MB 17 GB 71 42,475 CNN

Ghana / Nigeria Palladio visualization with randomized coordinates:

Ghana / Nigeria visualization

Text Messages

In 2018, as early voting got under way in Tennessee’s Republican gubernatorial primary, voters began receiving text messages attacking two of the candidates’ conservative credentials. The texts—written in a conversational style, as if they’d been sent from a friend—were unsigned, and people who tried calling the numbers received a busy signal. The local press covered the smear campaign. Law enforcement was notified. But the source of the texts was never discovered.

17 text messages attacking Joe Biden

Expanded Rebrandly link: https://www.donaldjtrump.com/landing/sleepy-joe?utm_medium=sms&utm_source=opns_djt_audience11987_political&utm_campaign=20200512_na_sleepy-joe-china-nepotism-beijingbiden-az-2_djtfp_djt_na_na_audience11987_creative100112_na_na_na_na_political_na_na_na_opns_persuasion_na_na_na_na&utm_content=na&amount=na

Somebody recently shared an unsolicited text ad that they received (ostensibly) from the Trump campaign. Since they shared it, another friend shared a slightly different one with me.

We now have three data points for how their click tracking is set up. So I pulled it in for a few reasons:

1: If we see third parties using this same utm variable tracking system, it is likely they are either coordinating, sharing lists or even using the same systems. This is likely illegal and should be brought to the attention of media.

2: The campaign and other bodies may start sending people to fake news misinformation sites (the actual campaign site is full of misinformation). It may be useful to see how they are organizing their data to see if aligns with any of the sites we are tracking.

I just imported and set _ as the delimiter. A lot of the fields are still being populated with "na" but will likely be used at some point. A bunch of fields were fairly easy to identify their purpose, so Row 1 is just a rough name and Row 2 is the intuited field name that they are likely using some variant of.

Websites resembling official campaigns

Last year, a website resembling an official Biden campaign page appeared on the internet. It emphasized elements of the candidate’s legislative record likely to hurt him in the Democratic primary—opposition to same-sex marriage, support for the Iraq War—and featured video clips of his awkward encounters with women. The site quickly became one of the most-visited Biden-related sites on the web. It was designed by a Trump consultant.

Not much to report on this front yet. Scouts?