go to content

Online Scam Artists Are Using Hoaxes About Terrorist Attacks To Make Money

An investigation reveals that the websites and accounts helping spread these hoaxes in the US, the UK, and Canada appear to be linked to the country of Georgia.

Posted on

This week police in Ottawa issued a warning to the public about hoax news articles that claimed there was a terrorist attack in the region. Police shared two images of fake news stories posted on Facebook:

One hoax claimed three officers and eight citizens had been killed in a suicide bombing in Ottawa. The other, from a different website, claimed an attack by ISIS in the suburb of Kanata had killed 92 people and wounded almost 200 others.

Both hoaxes were posted in private Facebook groups for people in the local area.

The last few weeks have in fact seen a rash of these fake local ISIS attack stories. The articles come from websites with domains that are similar to legitimate news organizations: CNNInternationalNews.com, CNNInternational.tk, HeraldNews.tk, and CBCNews.gq.

cnninternationalnews.com

The stories all contain the same headline and body text, but have the location of the attack changed in order to target people in different areas.

So, who's behind this coordinated effort to drive traffic to dubious websites using hoaxes about terrorist attacks? And why are they doing it?

An investigation of domain ownership records, of website source code, and of the people who have played a key role in spreading these hoaxes reveals a strong link to people in the country of Georgia.

Their goal is to use the hoaxes to get people to go to websites where they do one of three things: infect the user's computer with malware, trick people into handing over personal information, or redirect the traffic to online gaming sites in order to earn a commission. (It's important to note that while people in Georgia are playing a role in this scam, the ringleader(s) may be located elsewhere.)

This is the strange story of how two seemingly random recent hoaxes about communities in Canada can be traced back to the former Soviet republic of Georgia, and to a business that uses frightening hoaxes about ISIS to make money.

The website that hosted the Ottawa attack hoax is still online at TheLocal.ga. Its homepage is filled with copies of the same hoax bombing story, each with different city names.

TheLocal.ga

Warning: The site contains a pop-up on every page that will attempt to infect your computer with malware after you click on it.

The other hoax article, about an Ottawa suburb, pointed people to a site, BBC-Last-News.cf, that is no longer online.

Both sites have kept their domain ownership records private. However, a Google search found that a website, CNNInternationalnews.com, used the exact same headline and body text as TheLocal.ga in hoax stories about places in New Zealand.

cnninternationalnews.com

This site also has a malicious pop-up when you arrive on any page. Rather than asking you to download software, it requests visitors fill out a bogus survey and then hand over personal information to receive a free gift that never arrives.

Unlike the other two sites, its domain owner records are public, and they list an address in Tbilisi, Georgia.

The headline text of the other fake Canada attack story has also been used by other websites. A search of "brutal terrorist attack by ISIS" on Facebook brought up the UK police warnings about the hoaxes from back in November and December 2015.

Hoax articles circulating social media reporting 'terrorist attacks' in parts of Cheshire. This is NOT true..(1/2)

Some of the domains running that hoax included ReportForLife.com, BrutalEng.com, NewTabi.com, World-BBC-News.com, BBC-Breaking-News.gq, AllCrashNews.com, FacebookNeww.info, DailyMirror.cf, and UnblockedGames.eu.

As with the fake BBC website, seven of those domains listed owners in Georgia. BuzzFeed News emailed all of the publicly listed owners seeking comment, but none have responded.

One site, BBC-Breaking-News.gq, hid its domain ownership record but had source code that included comments in Georgian. This suggests the programmer or designer who helped customize the site is Georgian.

Along with being listed as the owners of the hoax sites, Georgians have played a key role in spreading the hoaxes. One of the screenshots shared by Ottawa Police showed someone named Sopo Khotivrishvili sharing a hoax in an Ottawa Facebook group.

Ottawa Police

That Facebook profile was created by a woman in Georgia, but the user profile now says she lives in Ottawa. (Changing the location helps the account get approved for membership in Ottawa Facebook groups.)

The account's current profile and cover photos show members of the band Twenty One Pilots. Those pictures were changed in late July, right around the time this latest burst of hoax attack stories started spreading again.

Prior to that change, the account mostly posted photos of a family in Georgia, and of a young girl in particular.

Facebook

The recent photo changes and their timing suggests the account may have been hacked. BuzzFeed News sent messages to the account but did not receive a reply.

Khotivrishvili's is just one of many Georgian Facebook accounts that have posted the hoaxes in Facebook groups to help them spread.

Though just about everything this person posts on his profile is in the Georgian language, and all of his friends are in Georgia, his profile says he lives in Philadelphia and that he was born there, too.

Facebook

Yet this Philly native seemed to not know that the It's Always Sunny in Philadelphia Facebook group is about a TV show rather than the city. Based on the birthday listed on the profile, the account apparently belongs to a 13-year-old boy.

I sent a friend request, which the account accepted. I then messaged to ask to speak about the hoax article the account had shared, but never received a reply. The account later blocked me from sending more messages.

(It's unclear if this account has been hacked, if he shared the hoax because he is part of the scam, or if he was paid by scammers to share the link.)

It's a pattern. Here are six other examples of Georgian accounts posting hoax terrorist attack articles in Facebook groups to help them spread (click on the city names to see each example):

Toronto
London
Auvergne
New York
Welington
Los Angeles

Some of these accounts belong to real Georgians, while others, such as this and this, appear fake. They have few or no friends and were recently created.

That's how the hoaxes spread and drive traffic to the websites. But how do the people running these websites make money?

As noted earlier, some sites trick visitors into downloading malicious software, or they do their best to get readers to hand over personal information.

TheLocal.ga

Adam Shostack, a network security expert and the author of Threat Modeling: Designing for Security, said there are likely several people involved in making this scam work.

"It seems reasonable to think that the people spamming [the hoax links in Facebook groups] are paid by the people who set up the website, who are paid by the people who infect the machines, who pay people to write the malware to do things like send spam or pretend to be you to your bank," he said.

The other way at least one of these sites made money was by sending its traffic to online gaming sites. BBC-Breaking-News.gq had a pop-up ad that sent the user to one of several gaming websites, such as this one.

These strategies are apparently profitable enough to motivate the Georgians — or whoever is employing and/or hacking them — to run the hoax ISIS attack scam again and again. Even when local police catch on, they tend to just warn the public and not investigate.

A spokesman for Ottawa police told BuzzFeed News that they are not pursuing the hoaxers.

"It's happened before over the years and it's nothing we haven't seen before," he said.

The international nature of the operation also makes it tough for local police to stop this, even if they were inclined to investigate.

And that means this scam will keep running.

To review, here's how the hoax/scam works:

* Someone or several people create websites filled with copycat articles about terrorist attacks in different cities and towns.

* They hack existing Facebook accounts, create fake ones, or enlist real people to help them spread the articles.

* These Facebook accounts change the location listed in their profile to align with the location of the hoax they plan to spread.

* They find Facebook groups centered around the location and request to join.

* Once approved, they share the hoax article in the group, hoping that this will cause the hoax to spread among people in the community.

* People click on the link and visit the website, where they are shown a pop-up ad that pushes them to download malware, to share their personal information, or that will send them to a website that pays a commission back to the scammer for the traffic.

* When the websites running the hoaxes get shut down due to copyright infringement claims from media companies or as a result of law enforcement action, the scammers registers new domains.

* Repeat.

Craig Silverman is Media Editor for BuzzFeed News and is based in Toronto.

Contact Craig Silverman at craig.silverman@buzzfeed.com.

Got a confidential tip? Submit it here.