A suspicious site that was attempting to mimic the official BBC News website while serving up false information about the Charlie Hebdo tragedy managed to garner an immense amount of traffic earlier this week—with the likely intent to deceive and perhaps harm visitors via malicious file downloads or through click-fraud.
According to OpenDNS, the site looked identical to the main BBC news site and ran a fake story claiming that the Charlie Hebdo attack was staged. It was also being promoted across social media and gained a large surge in traffic as a result, mostly from Reddit and Facebook. In fact it went from almost no traffic to several thousand hits in less than an hour—which is a 16.5-time spike in normal DNS queries to the website.
While the site has since been taken down, OpenDNS noted in a forensic analysis that the attack is illustrative of a growing trend. The tactic is very similar to that used by malicious actors regarding the Boston Marathon bombings.
“What can be discerned from this campaign is how staggering malicious it could have been,” OpenDNS said in its findings. “The campaign presented similar indicators as witnessed in spam email runs and rapidly constructed websites surrounding the Boston Marathon bombing. As the domain appeared (without deep investigation) to be associated with BBC and its brand, it is reasonable to assume that many more individuals could have been driven to the site. Once at the site, individuals could have been served malicious content, redirected to other more dangerous fraudulent sites, or unknowingly enlisted for click fraud purposes to name but a few.”
The item on the website read in part as follows: “According to analysts, it appears that the footage was recorded over two takes, evidenced by a placement marker that appears by the front left wheel of the vehicle as the gunmen return from apparently gunning down a wounded Gendarme. The killing of the French policeman is also being called into question, due to the ‘lack of blood spatter consistent with that of a close range shooting’. As shown in the freeze frame below [no longer available], smoke is shown to emit from the weapon, with no impact or trauma appearing to register on the body of the victim. The decision of many news outlets to blur out the victim is being debated as evidence of complicity in what many are now calling a hoax.”
The “article” went on to cite noted forensic and ballistics expert David Mayhew as saying, “If the video shows events as they actually occurred, then in my opinion it is most likely that the firearm shown is discharging blanks rather than conventional ammunition.”
OpenDNS suspects that despite the content and the fact that the “article” had external links to an Iranian state-sponsored media outlet, it’s probably just part of a malware-serving effort, and the Charlie Hebdo events in France likely represented the most successful way to bait information-seeking Internet users.
“One might conclude that, given the recent events surrounding Charlie Hebdo in Paris, the posting of disinformation on the...site, and links to an Iranian state-sponsored news agency corroborating the same disinformation, that this was a State-executed, State-ordered, State-integrated, or State-rogue-conducted activity backed by Iran,” OpenDNS said. “Given all available information, however, this conclusion might be as inflammatory and misinformed as the campaign itself.”
This is further borne out by the fact that the first mention of the domain was in relation to two tweets on December 31, 2014 claiming that a “UK YouTuber” was apprehended in the Middle East on terror charges.
“We were unable to corroborate this story and found no reference to the event in question,” OpenDNS said. “As there was no favoriting or retweeting of the stories, this might indicate a ‘trial run’ of the campaign.”
Then, tweets started going out in early January stating that a Cicada 3301 clue would be announced. Cicada is an elaborate and mysterious puzzle attributable to an enigmatic organization that on three occasions has posted a set of complex puzzles to recruit capable cryptanalysts from the public. The puzzles focused heavily on data security, cryptography and steganography, and overall the phenomenon has been listed as one of the "Top 5 eeriest, unsolved mysteries of the Internet" by The Washington Post, and much speculation exists as to its purpose.
“Given the date that these tweets began, the owner of the...site likely counted on a flood of puzzle-playing people just waiting for another clue,” OpenDNS said.
Taken together, signs point to the fact that this may not be the end of the group behind this and its activities.
“This very well could have been a campaign of test runs to see what type of SEO-like keywords, stories and links generated the most traffic to a seemingly reputable domain,” OpenDNS noted. “Based on the success or failure of the test runs, the attacker could re-factor or move forward, respectively, with a more malicious campaign.”