On November 13th, the Israeli daily Haaretz published an article exposing a sophisticated operation to spread sensational, fictitious information among a group of prominent Israeli journalists. The aim of the operation was to lure Israeli journalists to reverberate fake information, posted on a clone of a Harvard University official website, providing a sensational quote by ex Mossad chief stating that recently resigned defense minister Lieberman is a Russian agent.
The author of the exposing article, Ran Bar-Zik (@barzik), a Software Engineer at the R&D center of Oath Israel (formerly AOL, a subsidiary of Verizon Communications), who is known for his pastime of tracking and unmasking sophisticated hacking operations, bots, sock-puppets and other internet-based malicious activity aimed at hijacking the natural organic flow of public opinion in Israeli social media.
The main culprit in Bar-Zik’s exposure of the sophisticated Fake News operation was a Twitter account by the name of Bina Melamed which engaged journalists in Israel, sending them a link to a Harvard website clone detailing the fictitious story, over a direct message or as replies to their tweets.
Bar-Zik’s article caught my attention. Being the Founder & CTO of an internet company with hundreds of thousands of users and a product which integrates intimately with Twitter’s services, out of curiosity, I decided to allocate our resources, our proficiency in the Twitter API and the necessary computational infrastructure to “listen” to the flow of metadata by and around the Twitter account of Bina Melamed.
The Bots Strike Again
We monitored the account without noticing anything unusual, for two weeks. Yesterday, around noon, a Jerusalem Post journalist by the name of Amy Spiro (@AmySpiro), tweeted about of a fake story that was sent to her by Bina Melamed, mentioning the account. Spiro’s tweet instantly blipped on my radar.
I immediately contacted Spiro and she was kind enough to send me screenshots of the DMs she received from Bina Melamed and also tipped me about another account, posing as an ex Knesset member Rabbi Haim Amsalem, who was strangely reverberating Bina Melamed’s fake story as well.
The first thing I did was to cross-reference between Bina Melamed’s followers network and that of the suspicious Rabbi / ex Knesset member account. To my surprise, the two seemingly unconnected accounts, one (Bina Melamed) a self-declared human rights activist from London, the second (Rabbi Haim Amsalem) an orthodox Rabbi and ex Knesset member, share 147 Twitter followers together.
To confirm the fake Twitter identity of the Rabbi beyond doubt, a representative of the Ministry of Foreign Affairs of Israel who took part in our investigation contacted Yair Rosenberg, a senior writer of Tablet Magazine, who verified the issue directly with the Rabbi. Our suspicion was validated: The @RabbiAmsalem account is fake. The Rabbi’s real account is @HaimAmsalem.
Attack of The Clones?
Stranger yet were the type of followers shared by the confirmed fake news spreader Bina Melamed and the confirmed fake Rabbi account. As it turns out, the 147 shared followers appear to be Twitter bots.
At first, glance, what caught our attention was the fact that they are all Arabic Twitter accounts. How likely is it that they all chose to follow two fake profiles, one of which of a rabbi, by pure chance? Moreover, many of them use the Twitter Lite client, notoriously known to be the preferred client for bot activity (as it’s easy to automate interactions on). To be clear, while Arab followers would not constitute an anomaly in and of themselves, the same 147 Arab accounts end up following a confirmed fake news spreader and an orthodox Jewish Rabbi, who just recently opened a twitter account … That certainly looks like an artificially constructed Twitter network — a botnet.
To validate our suspicions, further drilldown was required. We coded the necessary process to automatically fetch all of the tweets, retweets and likes made by all of these 147 individual accounts in the suspected botnet, and cross-reference the data to find interconnectedness between the network members.
This time I was less surprised to find out that the overwhelming majority of this artificial network is not really tweeting anything original but rather, these accounts stick to retweeting others. A cross-reference of the retweets revealed that the members of the network often retweet the same tweets. This is the easiest behavior to produce synthetically at scale, and as such is classic botnet behavior.
So, what do we have here? We have a confirmed Fake News spreader Bina Melamed, involved in two separate cases of sending fictitious information to Israeli journalists. We also have a recently opened fake Rabbi account who doesn’t only follow and is followed by the fake news spreader Bina Melamed, but also spreads the same Fake News story she did. Last but not least, both fake accounts boast 147 botnet-like followers who are all interconnected to each other. All of these accounts do not tweet, but only retweet the same tweets between themselves, reverberating at least some of the content generated by fake Bina Melamed and the fake Rabbi account.
While there are probably more bot Twitter accounts involved in this botnet, flushing them out would require more considerable resources. Nevertheless, the case at hand is a classic example of the mechanisms and operational methods used by most Fake News spreaders such as those we’ve witnessed in the American presidential elections, in the Brexit vote and in the French elections. A fictitious story, propagated to influencers by a fake account, backed by a botnet to increase the credibility of the propagator. All with an aim of luring the influencer to reverberate the fictitious story and give it credibility.
A recent study that was published in the prestigious Nature Communications journal explained that bots “target users with many followers through replies and mentions”. The authors of the study explain that “humans are vulnerable to this manipulation, resharing content posted by bots”. The research concludes with the determination that bots “play a critical role in driving the viral spread of content from low-credibility sources” while the “strategy often used by bots is to mention influential users in tweets that link to low-credibility content. Bots seem to employ this targeting strategy repetitively”.
Truth be told, the methods described above are rather simple — but as we’ve seen they can be immensely effective. There is no doubt that as social networks and researchers increase their awareness and the methods at their disposal, we will see much more sophisticated patterns of bot and Fake News activity emerge. On this note, we have no doubt that there is more information that can uncovered even on this particular network. If you have any insights or feedback, or if you see suspicious activity you’d like us to take a look at, please contact me by email (ran [at] commun.it) or Telegram.
Thank you for reading, and stay safe out there.