Twitter accounts linked to a Russian troll farm charged by Special Counsel Robert Mueller III did more than pump out pro-Trump messages during the 2016 presidential election. In a previously undisclosed wrinkle, some also preyed on unsuspecting Trump supporters by targeting them with malware, a McClatchy investigation has found.
These Twitter accounts tweeted content that carried revenue-generating link shorteners, to either periodically spread malware or redirect to unrelated topics. Some were launched from websites registered to young people scattered across far-flung corners of Venezuela.
“How much do you get paid to spread MALWARE ... by taking advantage of Trump supporters???” a Trump supporter in Florida who goes by the handle @misstozak asked in a tweet on Oct. 27, 2016, shortly before the election, in which she complained about the URL-shortened links later found by McClatchy to have been retweeted by Russian accounts.
Shortened links are commonly used to avoid having to copy a large string of information into an email, text or tweet. In an interview, the woman behind the handle @misstozak expressed frustration that political activists like herself were toyed with by unknown actors using shortened URLs — the addresses of given websites.
“It made me feel really taken advantage of,” said Janet Cucharo, an avowed Tea Party supporter and owner of The Book Store, which operates out of the Market of Marion, a large flea market near Ocala.
In August 2016 and well into the following year, Cucharo, who calls herself The Book Goddess, took to calling out the Trump-themed Twitter accounts that were spreading the malware to unsuspecting Trump followers.
Malware is designed to compromise the functions of a computer. Some types are relatively benign, such as annoying pop-up ads, while other types steal data, spread viruses and even spy on a user or give a faraway hacker control of the computer.
An ongoing investigation by McClatchy shows that at least 163 Twitter accounts that appear related to each other were involved in pushing out pro-Trump tweets during the 2016 elections that contained specially crafted link-shortened web addresses, also known as shortened URLs.
The investigation found a number of these Twitter accounts were tweeting out links that were hosted on servers operated by clients of Webzilla, a Cyprus-based provider of IT infrastructure with a presence in South Florida. Webzilla’s parent, XBT Holding, was named in the controversial dossier that helped trigger Mueller’s two-year probe.
McClatchy searched links embedded in tweets from Russian Twitter accounts and cross-checked them against a public-use database created by NBC News. This database includes more than 200,000 tweets that Twitter itself has connected to “malicious activity” from Russian-tied accounts during the 2016 U.S. elections.
Among the ones found to be tied in 2016 and early 2017 to a managed data center operated in Amsterdam by Webzilla are domains and related subdomains such as dnoticie.es.kabch.xyz, viid.me, donaldtrumpnews.co.vu and USA.Trumpnewss.com. (Domains are the formal name of a website’s registered Internet address.)
At least 108 of these Twitter accounts that had been using links hosted by a Webzilla client called Red Sky have already been suspended by Twitter, according to McClatchy’s analysis and responses from Twitter searches, some of which said the account had been suspended. Another 55 of them were still live as of March 12 — some active and others inactive. There’s no evidence that Webzilla knew of malware-infested links and the company has said it can no more be cited for misuse of its servers than the phone company can be blamed for someone making crank calls.
This data, independently reviewed by multiple experts who said it appears accurate, came originally as a tip from a security researcher, who shared the information after reading earlier McClatchy reports about Webzilla and its parent company, XBT.
The dossier was compiled by former British spy Christopher Steele, and it contained the unverified assertion that XBT and its affiliates were “using botnets and porn traffic to transmit viruses, plant bugs, steal data and conduct ‘altering operations’ against Democratic Party leadership” in the 2016 election. XBT brought a defamation suit against BuzzFeed in Miami, tossed out last December. Documents associated with the case are in the process of being released.
Special Counsel Mueller’s two-year investigation led to charges brought in the United States against the Russia-based Internet Research Agency (IRA), identified by U.S. intelligence and national security officials as a Russian state company designed to meddle in foreign countries to advance Russian foreign policy objectives.
Of the Twitter accounts identified by McClatchy’s investigation, 24 suspended accounts were directly tied by Twitter to the IRA’s meddling efforts. These accounts were identified in a data dump by Twitter amid post-election probes of Russian election meddling. Ten additional suspended Russian-linked accounts were potentially tied to the IRA meddling operations. These appear in a second data release by Twitter that refers to them only as Russian propaganda accounts.
These combined 34 Russia-linked accounts either tweeted or retweeted one of the URL shorteners offered by the Webzilla client. Another 103 accounts appear in at least one of the two Twitter data dumps and are the originators of the tweets that were in turn retweeted by a known IRA account.
XBT said in a statement to McClatchy that it was unaware that any of the IRA-linked Twitter traffic moved across its platform via a client.
Unlike China and Russia, the United States opts for an open internet, and this has been exploited by U.S. adversaries and cybercriminals alike. The lines between state actors and cybercriminals is blurry.
“I spend a lot of time looking at bad actors on the internet, and unfortunately it isn’t all that hard to find them, because there are a lot more of these than most people realize,” said Ron F. Guilmette, a veteran security researcher. “But the vast majority of these are perfectly ordinary crooks with perfectly ordinary motives — money.”
The following chart shows the Twitter handles that moved via Webzilla client, either with a direct link or a retweet. It shows the accounts suspended by Twitter and whether they are in accounts identified by Twitter as suspected malicious activity from Russians.
What did Mueller know?
Absent a release of Mueller’s full report, it’s hard to know how deeply his office probed the IRA’s web activities. He brought charges in February 2018 against three Russian companies and 13 Russians, alleging that the IRA hired hundreds of people for online disinformation campaigns in the United States and elsewhere. A new report by Business Insider shed additional light on the IRA’s massive operation.
Mueller’s charging documents provided few details about where these people were hired or how and from where these computer-command-driven programs called bots were launched. Peter Carr, a spokesman for the Office of Special Counsel, declined to comment.
On Jan. 31, 2018, Twitter said it had notified 1.4 million people who had actively followed an IRA-linked account or engaged with the 3,814 IRA-linked accounts identified by the social-media giant. For this story, Twitter said of its new protections, “We have automated systems and partner with a range of companies to determine potential security risks.”
The divisive pro-Trump, anti-Democratic Party automated tweets during the 2016 presidential campaign are well documented. But malware spread by link-shortening sites is less known. One company accused by Trump supporters of targeting with malware is called Shorte.st.
“WARNING: DON’T click on user’s “Shorte.st” link bc it’s INFECTED CLICK BAIT” a Trump supporter who goes by the handle @SnafuWorld commented on Sept. 2, 2016. That @TheTrumpNews account that allegedly spread the shortened malware links is now suspended and was retweeted by what Twitter called Russian IRA accounts.
McClatchy also identified numerous accounts, some still active, that from the same Twitter handle tweeted divisive content and contained sh.st links and sought to divide citizens of the United States, Great Britain and Spain. There’s no evidence Shorte.st knew it was helping spread such content.
Large web hosts such as GoDaddy and popular New York-based firm Bitly offer their own link shorteners, but these do a passive redirect and someone looking to spread malware would quickly run afoul of the company’s terms of service and would be easy to detect.
The Shorte.st business model is driven by revenue.
“We will turn your links into earning ones by adding an ad layer. Your visitors will see an ad before reaching a destination page and you will make money,” Shorte.st says on its home page, boasting “over 300,000 earning users.”
Code hidden from users on most shorteners actively processes many user variables such as location and whether a browser is outdated. That can determine what ad content to show and to redirect to a given destination website. In addition to its legitimate commercial operation, this type of system could allow for targeted delivery of malware.
McClatchy contacted the chief technology officer of Shorte.st, Dawid Chomicz, to ask about malware and 2016 election interference.
Shorte.st is based in western Poland, in the city of Szczecin. Chomicz said over LinkedIn messages that he was unsure if a URL shortener could be used to spread malware. Advertisers are responsible for content, he said, adding that he found “nothing special” when reviewing 2016 and 2017 traffic. His support team “blocks all the links which are reported by various parties that are against any law only as it is received by them,” he said.
Shorte.st is a subsidiary of Polish parent Red Sky, which builds and maintains websites for global Internet users. Red Sky operates shorte.st link shorteners, which are connected to Webzilla.
Chomicz did not answer when asked if he had a business relationship with Webzilla. XBT, Webzilla’s parent, described Red Sky and Shorte.st as a very small part of its business and said that there is no investment in either.
“They do not have access to customer servers and ... software. Servers do not belong to XBT,” said the response from XBT, noting it provides only power and Internet connectivity to Red Sky through an Amsterdam data center.
Venezuela muddies the water
McClatchy’s probe also found that some of the link-shortening ads attached to the pro-Trump tweets actually trace back to domains registered from across Venezuela. with names like www.TrumpNewss.com and www.trumppresident45.info. That country’s socialist government is teetering on the brink of collapse, condemned by much of the world yet propped up in part by support from Russia.
McClatchy engaged one of the domain owners, Katiuska Borges, by email and later by phone.
“My colleagues, like me, have nothing, we are broke. This helped to purchase [necessities] but now everything has gone down,” said Borges. She is the registrant of the now-expired domain www.kabchnews.com, registered from remote Tia Juana via the U.S. company GoDaddy on July 22, 2016.
Borges said she and others made $5 for every 1,000 visitors to an advertiser from outside Venezuela. The entire business model, she said, relied on posts on Facebook and Twitter, using a program “that did tweets every set hour.”
She said Shorte.st and others paid her via PayPal for spreading links, adding, “If there really was something wrong with those links, truthfully, I had no idea.”
Another faux news site found in McClatchy’s investigation was trumpservativenews.club. McClatchy traced its registration back to Jose Alvarez in Houston. The address matched his former home there, but McClatchy traced him back to his native Spain, from where he claimed no knowledge.
“I have no idea what [the website] is. ... I have no involvement or interest in politics. I did not register it or have any knowledge of its registration,” the software specialist said in an interview, denying that the email firstname.lastname@example.org used to register the site in Germany was his.
The precursor domain to this website was trumpservativenews.info, registered by another Venezuelan, Rodolfo Hernandez, who didn’t respond to emails seeking comment.