Wednesday, April 19, 2017

Malware, Mole, or Mercenary? Pt 1

     In earlier articles, we wrote about a massive hacking campaign by pro-Trump trolls against anti-Trump, liberal, and progressive groups on Facebook, and then about how one person, Melissa, grew her group exponentially from several dozen to over 33,000 before her personal Facebook account got hacked and had her group hijacked.  In the first article, we touched upon the possible methods that were used to actually take the groups over. In the second one, we mentioned that it was one of 3 methods: malicious code, a mole, or a mercenary. Here, we will begin to take a look at those 3 possibilities.

     The first scenario, and as far as we can tell the most likely, was a hack through malicious code.  As Melissa recounts, a person named Tina Larson, who was not part of the group,sent me a private message a while back saying...he's our president now get used to it etc, etc, etc.  It sat in my message list for months.  Last week I decided to respond to it.  I sent a total of 3 or 4 responses back to her within seconds of each other.  As I was sending the 4th response the words ‘session expired’ popped up on my screen and logged me out of Facebook.  I never was able to recover my personal page.  My personal Facebook page was completely shut down.  I could not access it.  No passwords would work.  It basically did not exist anymore.  I had been hacked.”

     Danny Lewis, an IT expert we consulted for this story, says that it was most likely some sort of phishing attack.  The term “phishing” originated with email based attacks, where a hacker would send an email that appeared to be from a legitimate source as a bait in order to lure the victim into giving the hacker sensitive personal information like social security or credit card numbers. The practice has evolved now. Now, the bait is often an attachment on a message instead of being in the message itself.  Clicking on the link would bring up a fraudulent web page designed to look authentic.

     In Melissa’s case, she was targeted by a much higher skilled hacker.  Melissa saw no link in the message sent to her. Instead, the message had malicious code embedded in it that opened a pop up that said her Facebook session was expired.  In reality, she was still logged into her Facebook account but didn’t realize it because the pop-up was designed to look exactly like Facebook.  When she tried to log back into her account, she was unknowingly giving the hackers her personal login information.  Once they had that, they logged into her Facebook account, changed her password and that kicked her out of her own account.

     Phishing attacks can be very sophisticated. “The hackers will create an exact fake copy of the site they are trying to trick you into using,” says Danny Lewis. “Everything about the fake site will be identical except for the address, which people often don’t look at.  They can’t use ‘’ for example, but they might make the address say ‘’ or some other minor change that will be missed if you don’t look carefully.  One very important thing to look at is the very front part of the address.  Facebook is a certified secure site, and that is shown by the ‘https’ at the very beginning of the web address.  Fraudulent phishing sites use ‘http’ instead.  The ‘s’ indicates a secure site,” Lewis explained.

If you want to know why people are so disgusted with these trolls, here's an example.
One of the members of a hijacked group stood up to the trolls.  So they went to her profile, copied several pictures of her daughters, and made memes like this.
The Diogenetic Light blurred faces and redacted names of the innocent.

Related: for more information on secure websites, you can check the links below.
Danny Lewis recommends this page to learn more.

Snopes has a nice, quick intro to HTTPS here:

Wisegeek has a more in-depth intro.

How to tell if you've been hacked, and some security tips from Cnet: 
     Once the hackers had her personal account, they also had access to her group.  They waited for a week and removed her and all other admin from the group, brought in others from the Catena Mafia, and then began trolling it.

They also post memes like this.
Disgusted yet?

     The main problem with the malicious code theory the is the one week gap between hacking Melissa’s page and hijacking the group.  The likely reason is that the trolls wanted to coordinate hijacking the Road to Hell and at least two other groups that took place on April 1st..  It seems that the trolls wanted to use April Fool’s day to help sow confusion into their operation.

This is the kind of behavior that Facebook apparently feels is acceptable.
The members of the Catena Mafia have been reported hundreds of times, and yet they continue with things like this.

     The second possible way the group was hijacked could have been through a mole. The internet allows us to make friends that we never would have met in real life. It is, however, more difficult to get to know virtual friends than friends in the real world. This typically isn’t an issue as most people are generally honest. Indeed, one criticism of the internet is that it allows people to be “too honest,” such as flamers who become extreme partisans online. But, since most people operate on the default honesty setting, you can get to know most people as they really are. That’s how most of us meet and make friends in this environment, and that’s how Melissa met the people who helped to administer the Road.

Notice that the group member here stands up to these trolls.
So much for liberal snowflakes!

     Melissa had 7 people helping her to moderate the group when it got hijacked.  Of those people, she has been able to reconnect with 6.  The one that she hasn’t been able to reconnect with, Jane1, was also the last admin that she added to her group.  Their friendship began with Jane talking to her through messenger.  They had very similar views and created a fast friendship.  Because Melissa required that every profile be vetted before coming into the group, she asked Jane to become an admin to help with the 700-plus new member requests they were getting every day.

Readers may recall this picture from our first article in this series.
The hijacking trolls claimed this man was a mole.
We investigated and determined that was just a lie they made up to confuse people.

     When Melissa’s personal Facebook account got hacked, she made a new account, found Jane, and explained what happened.  Melissa says that Jane was “nice and supportive.”  Melissa began to put her digital life back together.  Then the Road to Hell was hijacked, and nobody from the group has seen Jane since, adding that "she's the only admin I haven't been able to find through all of this."
This is why Mr. Davenport grows out his beard.
What is the point of smearing the name of a person like him?

     At the time she was hacked had no idea what even happened to her account.  As she recalls, during the week between getting hacked and the group being hijacked, “nothing unusual was happening.  That week I was trying to figure out why my account was suddenly shut down.  I didn't know during that week I was hacked.  I couldn't figure out why I couldn't recover my original account.  I had that same account for, like, 8 years.  It was mind boggling.  When they hacked my group, I started to connect the dots.  It all started to make sense why my account was shut down, that in fact it wasn't shut down.  It was hacked.  It took my group getting stolen for me to understand why I was hacked a week prior – they were after my group.” Melissa went to her original page and saw that It’s up but it's completely wiped out. People sent me screen shots of it and it was blank. Like they erased everything.”  This brings us to a critique of the mole theory.

     It doesn’t make sense for Jane to be a mole in the group and wait that week between Melissa’s page being hijacked.  She spoke with Melissa on a daily basis, and she could have sent a malware message at any time to hack and take over Melissa’s group.  A premature hack only adds to the risk of the plan being discovered and thwarted.

     Also, a page administrator cannot remove a page creator.  We tested this on two other groups, and Facebook’s programming will not allow it i,2.  So, if the plan was for a mole to infiltrate the group and take over, then anyone that Jane might have added would show that she added the person.  The most that a mole could do is cause a temporary problem until the page creator came back, blocked and booted the mole, and then booted each troll added by the troll admin.

     This leaves two possible ways to actually hijack a group.  The first is to hack the group creator’s personal page as must have happened with Melissa.  The second is to get the group creator’s personal page shut down while you already have a mole in place as a group admin.  Once the creator is unable to access the group, the mole can boot other administrators and take over the page. (We are currently trying to contact another group creator whose group was hijacked. This may have happened to this other person and his group.)  However, it fails the test of probability.

     The mole theory smacks of improbability.  Why would a person want to infiltrate a partisan group for months, engaging in bashing the party that they actually agree with, just to cause some temporary chaos and headache to a political opponent’s supporter?  The person would also have to become an administrator for the group and then spend significant time weeding out moles and condemning partisan trolls that they secretly agree with in order to accomplish this.  Each idea is improbable, and the combined improbability, especially when combined with the limited payoff of trashing a group on Facebook, is very near laughable.
Since we can be quite sure that Jane wasn’t a mole, then there seem to be two options as to why she cannot be found.  Either she was disgusted by the Facebook after the hijack and left, or that her page was also hacked.  The latter seems extremely more likely.  Either way, Melissa thinks that “She was a casualty of war . . . lost in the rubble.”  We all hope that she reconnects with the new Road to Hell group. 

A few things to note here:
(1) Despite multiple complaints, these trolls are still at it.
(2) The liberals fight back and won't take this.
(3) Even though they fight back, it's a waste of time, and Facebook continues to allow this.

     The last possibility for the hijacking method is by a foreign expert hacker, who we call a mercenary here.  This would have occurred in conjunction with the malware-phishing attack that we believe took over Melissa’s personal page and allowed them to hijack her group.  We will cover that possibility in-depth in the next installment. 

Thank you for reading.  Please feel free to leave comments below.  You can also share with the buttons below, or, if you want to get the latest posts right away, you can click on the "Follow" button at the top right of this page.

If you need a break from all the nastiness and chaos, and you need a laugh, you can check out this piece here:
North Carolina Bans Bigfoot from Public Restrooms

If you're interested in learning how liberals can get better at messaging to win the war of ideas, check out the 4 part series starting with:
Don't Call It TrumpCare

1Jane isn’t her real name. There is no good evidence that she was responsible for the hijacking, so we refuse to smear her name.
2Update: while preparing to publish this, we tested the theory and can now say definitively that it Jane was not a mole. We hope that she will make contact with us again. We chose to keep this in the article because there are rumors of moles having helped with the hijackings in all the hijacked groups.

No comments:

Post a Comment