A collection of domains, controlled by a small group of users, could be used to spread fake news, bypass spam rule, or track and dox other users. (ProtectVoat)

submitted ago by MadWorld

Part 1 of 7

In continuation of the last submission, regarding the list of 20+ connected domains that spread fake news, I looked further into the characteristics of those domains and those submitters on Voat. I am not sure what to expect with this submission, other than presenting my findings and voice my opinions with the data I have collected at hand. You may notice that the archive dates are spread out across a whole week, that is because it was done in bits and pieces.

Notice that this data may be incomplete, as most of the 20+ domains were already offline or wiped, shortly after the last submission. Because of the number of domains involved, I made minimal effort to archive those sites. Lately, I had to resort to the timestamps from the search engine.

tl;dr: a collection of domains, controlled by a small group of users, could be used to spread fake news, bypass spam rule, or track and dox other users. Use vpn, tor, or anon proxies when possible, especially for high profile users.

Let's start by defining the metrics used to flag a domain, along with the submitters. A domain is flagged as suspicious, along with the users involved, if it exhibits one or a combination of the following characteristics:

  1. First submission to Voat being too close to domain's registration date: This strongly suggests that the submitter is directly or indirectly affiliated with the domain involved. This submitter either owns the domain or pushes the domain for its owner.
  2. Low traffic site recently been updated, closely followed by a submission to Voat: This suggests a weak but similar condition as #1.
  3. Site's wayback activity sparsely archived, with submission too close to the archived date: It suggests that the site showed some recent activity.
  4. Site's traffic history, followed too closely to the submission date: When a low traffic or barely active site made a submission on Voat, its traffic increases, followed by its decline back to zero or low traffic steady state.
  5. Multiple domains sharing the same set of IPs: Sharing IPs is common in shared hosting, but having those domains coincidentally showed up by a user or a small group of users, is not so common. This technique was probably used to circumvent Voat's spam rule, or possibly to disguise something else, such as repackaging of MSM news behind no-name domains.

Status of domains been investigated:

  • Domain1 akniinfo.com, taken offline, short-lived.
  • Domain2 cbinfo24.com, taken offline, short-lived.
  • Domain3 coolinfo24.com, taken offline, short-lived.
  • Domain4 cukam.com, taken offline, short-lived.
  • Domain5 cvikas.com, taken offline, short-lived.
  • Domain6 cvikasdrv.com, taken offline, short-lived.
  • Domain7 dailyinfo24.info, re-purposed, but traffic continued.
  • Domain8 fergieinfo.com, taken offline, short-lived.
  • Domain9 lifeinfo24.net, taken offline, short-lived.
  • Domain10 ludinfo24.com, taken offline, short-lived. First submission made 3 days after domain registration.
  • Domain11: mminfo24.com, taken offline, short-lived.
  • Domain12: policeglobal.com, still online on 2019-01-19.
  • Domain13: scandallinfo.com, online but data wiped, short-lived. First submission made only 12 hours after domain registration, very interesting!
  • Domain14: tapainfo.com, taken offline, short-lived. First submission made 4 days after domain registration.
  • Domain15: thenyherald.com, taken offline, short-lived. First submission made only 2.5 days after domain registration.
  • Domain16: tvrtinfo.com, taken offline, short-lived.
  • Domain17: usapatriotsvoice.com, taken offline on 2019-01-21.
  • Domain18: vtamedia.com, taken offline on 2019-01-21.
  • Domain19: classic2017.info, taken offline.
  • Domain20: ilovemyamerica.net, suspended.
  • Domain21 libertyinfonews.com, still online, but short-lived. First submission to Voat, 8 days dated from site's earliest article.

This list came from previous submission, where the domains were flagged for sharing a subset of identical articles that contained fake news. These domains also showed very short user engagement, suggesting clickbait nature.

Suspects found, evaluated by timestamps associated with domain registration, wayback archives, and site's traffic profile: Kilroy_1962, RussianIvantheCrazy, GizaDog, Dailytacs, yurisrevenge, nogarbagetrashonly, theoldones, Russianbots, Mogumbo, Sw0rdofDamocles, mattsixteen24, and Kippering. I tried to minimize the number of suspects and usually only flagged the first submitter to the domain.

  • Kilroy_1962
  • RussianIvantheCrazy
  • GizaDog
  • Dailytacs
  • yurisrevenge
  • nogarbagetrashonly
  • theoldones
  • Russianbots
  • Mogumbo
  • Sw0rdofDamocles
  • mattsixteen24
  • Kippering

Looking further into the suspects, I dumped all of the domains from their submission histories. There were 900+ domains, first sorted by domain names, then by IP addresses. As it was too much work to look at them individually, I only picked those domains that seemed unusual, or domains that shared similar names and/or with the same set of IPs. Many of the domains that were picked showed very similar characteristics as the ones that were previously investigated. They were relatively new domains made it to Voat, with a spike in their traffic histories. Some were strikingly clear to see that they were pushed by specific user. In one specific case, three domains were cascaded together, af-mg.com forwarded to dc-chronicle.com, with dc-chronicle.com's data on thenarrativetimes.org. Very interesting to say the least!!

List of domains picked up from suspects' submissions, that showed very similar behaviour to those of 20+ domains. Initial submissions were usually posted to Voat between days to 3 weeks, after domain registration or before traffic spike.

  • Domain22: americanews.network, offline, short-lived. First submission posted 10 days from domain registration.
  • Domain23: amirror.link, offline with bad gateway. First submission 6 days from domain registration.
  • Domain24: animeright.news, currently online, a shitpost website.
  • Domain25.1: americafastnews.net, offline, no ssl. Appeared to be 1 of 4 domains sharing same backend, see data log at the end. First submissions posted to Voat within 2 to 3 weeks of domain registration.
  • Domain25.2: conservativegeneration.net, offline, no ssl.
  • Domain25.3: conservativemind.net, offline, no ssl.
  • Domain25.4: topalertnews.com, offline, no ssl.
  • Domain26.1: newsusatoday.co, offline, expired. First submission 5 days from site's traffic spike.
  • Domain26.2 viraldailynews.co, offline, expired.
  • Domain27.1: politicalbelief.site, offline. First submission 12 days from domain registration.
  • Domain27.2: trumptroopers.com, offline. First submission 4 days from domain registration.
  • Domain27.3: viralview.site, offline.
  • Domain28: viralusfortrump.com, offline. First submission 4 days from domain registration.
  • Domain29.1: loveconservative.site, offline. First submission 13 days from domain registration.
  • Domain29.2: politicaltribes.site, offline.
  • Domain30: freedom-daily.com, re-purposed. First submission 21 days from previous domain registration.
  • Domain31.1: democratdossier.org, online. First submission between 1 week to 1 month.
  • Domain31.2: truthseries.net, online, no ssl. First submission 13 days before traffic spike.
  • Domain31.3: yellowvestmarch.com, online. First submission 15 days after domain registration.
  • Domain32: nationonenews.com, offline. First submission 7 days after domain registration.
  • Domain33: thenarrativetimes.org, online, connected to dc-chronicle.com, which itself was connected to af-mg.com. First submission 11 days before traffic peaked.
  • Domain34: nationonenews.org, offline. First submission 1 fucking day after domain registration.
  • Domain35.1: dc-chronicle.com, online, redirected from af-mg.com.
  • Domain35.2: af-mg.com, connected to dc-chronicle.com.
  • Domain36: dailycallernewsfoundation.org, online.
  • Domain37: redstatenation.com, online. First submission 8 days after domain registration.
  • Domain38: defiantamerica.com, online.

So it appears to me that there is likely a user or a small group of users, who are here to push contents, by hopping through disposable/burner domain names. Some of those domains pushed fake news, some pushed low quality contents or other bullshits. Some would circumvent spam rule with collection of domains at disposal. This is something that other goats can point out periodically. I am not too worried or concerned about that. But I am in a way concerned with its implications.

Cont to part 2: https://voat.co/v/ProtectVoat/3001782/16431060

You are viewing a single comment's thread.

view the rest of the comments →

MadWorld ago

Part 2 of 7

If and when a small group of users owns or controls a large set of domain names, this group can create an illusion of choice or randomness. The information being collected can be used to track or dox other users. For example, the group creates a large number of submissions on Voat, from a collection of seemingly random domains that it controls, submits to different subverses. Goats of different interests visit those links, believing they were visiting different sites. Some will lurk or vote and move on, while other more active users will comment on the subject. This creates comment timestamps on Voat, which can be cross-referenced with the timestamps from the group's server(s). Given the clickbait nature of these sites, the gab between the timestamps, to be referenced, can be even shorter, making it event easier to establish educated guesses. There are cases, where the links are buried deep in the threads, implying that the chance of other users seeing them is minimal, the risk of been doxxed is even greater. Say a suspicious link was planted by a doxxer in a level 10 thread, a naive user clicked on it, followed by a comment in response to the content. It wouldn't need a lot of data to obtain this user's IP address. Furthermore, such condition can be optimized, where the doxxer only commented in submissions or threads that were already quieted down, and only targeted users were most likely to reply. In such cases, only one mistake is all that is required to have a user's IP doxxed.

So, if this group is here to push the contents from other domains, why didn't those domains show any steady increase in their traffic histories? Why did those domains only show a single spike, in most cases, across their entire traffic histories? If this group were sincerely only advertising for those domains, then it had been doing a terrible job! In my opinion, I think the objectives of those domains are a bit sinister, leaning toward tracking users on Voat.

Supposed that the intention was to track users on Voat, aside from pushing fake or clickbait news. Who would be the most likely targets? Doxxing an average user is useless, as it provides no real value in return. It only becomes valuable, if such high profile users are doxxed. The folks at GA and PG immediately come to my mind, since those subverses are most heavily shilled. If the real IPs of the researchers from the two subverses were obtained, people with resources would be able to identify those users' locations, which would lead to their real identities. It would also be possible for people without special resources to locate their targets, though more personal info would be needed. It probably is enough to just threaten those users with their IP addresses and force them to back off. I would suggest that high profile users stick to vpn, tor, or anon proxies, whenever possible.

I would like to propose that Voat periodically lists domain names from submissions, and possibly comments, where other users can browse and evaluate. It could be organized under the discover category, such as https://voat.co/discover/domain. The stats could include a small list of most recent or frequent submitters, number of times the domain has been shared, affiliated Voat accounts, if known, etc... Besides the obvious domain name search, the search feature could include discoverable domains listed by username, where searching a specific username would list submission stats of the domains. This approach would allow other users to quickly spot domain spammers or other suspicious users, without doing a manual stat dump.

MadWorld ago

Part 3 of 7 (data)

Domain1 akniinfo.com, whois, IP 46.30.215.167(shared by 2,368 domains)
Registrar: One.com A/S
Registered: 2019-01-03
Updated: 2019-01-10
Expires: 2020-01-03
Site Status: taken offline
Traffic History: N/A, short-lived
Archives:
* 2019-01-12 last known, archive

Domain2 cbinfo24.com, whois, IP 46.30.213.3(shared by 8,239 domains)
Registrar: One.com A/S
Registered: 2018-03-23
Updated: 2018-03-23
Expires: 2019-03-23
Site Status: taken offline
Traffic History: active 2018-06-16 255k, short-lived
Archives:
* 2018-06-20 first wayback
* 2019-01-16 last known

Domain3 coolinfo24.com, whois, IP 46.30.215.181(shared by 2,381 domains)
Registrar: One.com A/S
Registered: 2018-11-28 15:50:08
Updated: 2019-01-11 15:51:16
Expires: 2019-11-28 15:50:08
Site Status: taken offline
Traffic History: active 2018-12-16 48k, short-lived
Archives:
* 2018-12-04 first wayback
* 2018-12-07 last known
Submissions: submissions started shortly after domain registration date
Submitters(timestamp, username, subverse):
* 2018-12-10 14:29 Kilroy_1962(12 days) v/theawakening
* 2018-12-10 18:50 2903664(12 days) v/QRV
* 2018-12-12 01:26 gnexus(14 days) v/news
* 2018-12-15 05:58 boekanier(17 days) v/MuslimInvaders
SUSPECTS: Kilroy_1962

Domain4 cukam.com, whois, IP 46.30.213.198(shared by 12,215 domains)
Registrar: One.com A/S
Registered: 2018-08-14
Updated: 2018-08-14
Expires: 2019-08-14
Site Status: taken offline
Traffic History: active 2018-08-16 22k, short-lived
Archives:
* 2019-01-16 last known

Domain5 cvikas.com, whois, IP 46.30.213.2(shared by 8,149 domains)
Registrar: Ascio Technologies, Inc. Danmark - Filial af Ascio technologies, Inc. USA
Registered: 2018-03-03
Updated: 2018-10-05
Expires: 2019-03-03
Site Status: taken offline
Traffic History: active 2018-05 to 2019-01 286k/mo, peaked on 2018-06, short-lived
Archives:
* 2019-01-03 last known, ran by Lora Wolson, a possible pseudonym taken from 1940 census record.
Submissions: searchvoat
Submitters(timestamp, username, subverse):
* 2018-10-19 21:56 2799882(14 days) v/QRV
SUSPECTS: anon

Domain6 cvikasdrv.com, whois, IPS 46.30.213.230(shared by 9,662 domains)
Registrar: One.com A/S
Registered: 2018-07-28
Updated: 2018-07-28
Expires: 2019-07-28
Site Status: taken offline
Archives:
* 2019-01-07 first wayback
* 2019-01-16 last known online, site remained online at the time of my last submission.
Traffic History: 178k in 2018-09, short-lived

Domain7 dailyinfo24.info, whois, IPS 104.27.150.105(shared by 210 domains), 104.27.151.105(shared by 183 domains)
Registrar: Dynadot, LLC
Registered: 2018-07-09
Updated: 2018-09-07
Expires: 2019-07-09
Site Status: 2017-04-23 launched, re-purposed
Traffic History: traffic began 2017-05, above 100k 2017-07 onward, constant 117k 2018-03 to 2018-12, despite being re-purposed. I find it a little strange that there was no cool down period when the site's content became completely different.
Domain History:

  • A Record
    • 2017-04-27 to 2017-06-09, 160.153.162.132, GoDaddy.com, LLC, 1 month, shared by 700+ domains
    • 2017-06-09 to 2017-06-11, 107.180.126.68, ..., 2 days
    • 2017-06-11 to 2017-07-03, 107.180.126.63, ..., 22 days, possibly ranged ip
    • 2017-07-03 to 2017-10-14, 148.72.10.12, ..., 3 months
    • 2017-10-14 to 2017-10-16, 198.71.248.67, ... 2 days
    • 2017-10-16 to 2017-10-18, 184.168.131.233, ... 2 days
    • ... IPs toggled between two sets of ranged IPs.
  • MX
    • 2017-04-24 to 2017-12-07, mail.dailyinfo24.info
    • 2017-12-07 to 2018-03-10, dailyinfo24.info, Cloudflare Inc

Archives:
* 2017-05-15 previous domain owner's activity
* 2017-05-17 site appeared under construction
* 2017-06-03 site appeared usable on wayback
* 2018-08-08 Domain re-purposed for kid's stuff.
Submissions: searchvoat
Submitters:
* 2017-06-15 17:28 RussianIvantheCrazy(12 days) v/BernieSandersSucks
* 2017-07-18 15:05 RussianIvantheCrazy(15 days) v/MuslimInvaders
* 2017-07-18 17:51 nogarbagetrashonly(15 days) v/Obamagate
SUSPECTS: RussianIvantheCrazy

Domain8 fergieinfo.com, whois, IPS 46.30.213.6(shared by 8,312 domains)
Registrar: One.com A/S
Registered: 2018-06-23
Updated: 2019-01-11
Expires: 2019-06-23
Site Status: taken offline
Traffic History: 2018-08 30k, short-lived
Archives:
* 2018-07-02 site appeared under construction
* 2018-11-17 site appeared usable on wayback
Submissions: searchvoat
Submitters:
* 2018-07-11 17:05 GizaDog(9 days) v/news
SUSPECTS: GizaDog

Domain9 lifeinfo24.net, whois, IPS 46.30.213.199(shared by 11,907 domains
Registrar: One.com A/S
Registered: 2018-10-01
Updated: 2019-01-10
Expires: 2019-10-01
Site Status: taken offline
Traffic History: N/A, short-lived
Archives:
* 2018-12-30 last known online, no wayback history.

Domain10 ludinfo24.com, whois, IPS 46.30.215.149(shared by 2,468 domains)
Registrar: One.com A/S
Registered: 2018-12-03 19:05:30
Updated: 2019-01-10 13:39:00
Expires: 2019-12-03 19:05:30
Site Status: taken offline
Traffic History: N/A, short-lived
Archives:
* 2019-01-03 last known online, no wayback history
Submissions: searchvoat
Submitters:
* 2018-12-06 14:27 Dailytacs(3 days) v/Worldnews
* 2018-12-18 04:36 SporadicSpasms(15 days) v/news
* 2018-12-18 04:48 theoldones(15 days) v/BloodOfEurope
SUSPECTS: Dailytacs, notable SporadicSpasms and theoldones

MadWorld ago

Part 4 (data cont.)

Domain11: mminfo24.com, whois, IPS 46.30.213.3(shared by 8,239 domains, also by cbinfo24.com)
Registrar: One.com A/S
Registered: 2019-05-17 18:48:02
Updated: 2019-01-11
Expires: 2019-05-17
Site Status: taken offline
Traffic History: N/A, short-lived
Archives:
* 2018-07-07 first wayback
* 2018-08-19 last known online
Submissions: searchvoat
Submitters:
* 2018-06-03 21:03 yurisrevenge(17 days) v/Leftists
SUSPECTS: yurisrevenge

Domain12: policeglobal.com, whois, IPS 198.71.233.141(shared by 10,981 domains
Registrar: GoDaddy.com, LLC
Registered: 2017-06-22
Updated: 2018-06-22
Expires: 2019-06-22
Site Status: still online on 2019-01-19
Traffic History: began 2017-08, peaked 234k in 2017-09, 486k in 2017-12, constant 43k 2018-05 onward
Archives:
* 2017-07-18 site under construction
* 2017-09-09 site usable on wayback
* 2019-01-16 still online
Submissions: searchvoat
Submitters:
* 2017-08-11 14:01 nogarbagetrashonly(24 days) v/GoodCopFreeDonut
SUSPECTS: nogarbagetrashonly(2nd hit)

Domain13: scandallinfo.com, whois, IPS 46.30.215.162(shared by 2,468 domains)
Registrar: One.com A/S
Registered: 2018-12-14 16:53:20
Updated: 2019-01-11 06:50:53
Expires: 2019-12-14 16:53:20
Site Status: online but wiped
Traffic History: 66.7k in 2018-12, short-lived
Archives:
* 2019-01-19 data wiped, no wayback history. home, gallery, magazine, social issues, cops & criminals, video, life, world.
Submissions: searchvoat
Submitters:
* 2018-12-15 04:53 theoldones(almost exactly 12 hour after domain registration) v/BloodOfEurope
* 2019-01-05 21:43 MolochHunter(22 days) v/GreatAwakening
SUSPECTS: theoldones(2nd hit)

Domain14: tapainfo.com, whois, IPS 46.30.215.247(shared by 3,603 domains
Registrar: One.com A/S
Registered: 2018-11-15 15:08:47
Updated: 2019-01-10 18:52:12
Expires: 2019-11-15 15:08:47
Site Status: taken offline
Traffic History: 195k in 2018-11, 550k in 2018-12, short-lived
Archives:
* 2018-11-29 wayback archive
* 2019-01-15 Home, news, Magazine, World/Nature, Travel, Food, Life/Lifestyle, Health & Fitness, Gallery, About, Contact, Terms/Conditions. Site had numerous default pages from template.
* 2019-01-16 last known online
Submissions: searchvoat
Submitters:
* 2018-11-19 18:48 Russianbots(4 days) v/whatever
* 2018-11-20 08:22 MacMike(5 days) v/news
* 2018-11-20 16:23 Sw0rdofDamocles(5 days) v/Maryland
* 2018-11-21 15:37 ArtistiqueJewelry(6 days) v/theawakening
* 2018-11-22 01:10 critias(7 days) v/multiculturalcancer
* 2018-11-23 16:50 WagonBurner(8 days) v/Conspiracy
* 2018-11-26 00:04 2873330(11 days) v/QRV
* 2018-11-29 13:42 ArtistiqueJewelry(14 days) v/theawakening
* 2018-12-07 14:35 tendiesonfloor(22 days) v/politics
* 2018-12-15 14:13 thewebofslime v/politicalnews
* 2018-12-21 01:51 gnexus v/news
* 2018-12-21 03:15 myvoicefromhell v/whatever
* 2019-01-15 17:52 tendiesonfloor v/whatever
SUSPECTS: Russianbots

Domain15: thenyherald.com, whois, IPS N/A
Registrar: NameCheap, Inc.
Registered: 2018-09-10 08:55:32
Updated: 2018-09-10 08:55:32
Expires: 2019-09-10 08:55:32
Site Status: taken offline
Traffic History: 75k in 2018-09, short-lived
Archives:
* 2018-09-14 first wayback, The New York Herald - Breaking News
Submissions: searchvoat
Submitters:
* 2018-09-12 19:12 Mogumbo (2.5 days ) v/news
* 2018-09-12 22:07 Sw0rdofDamocles (2.5 days ) v/Pedophiles
* 2018-09-13 19:25 Shotinthedark (3.5 days ) v/whatever
SUSPECTS: Mogumbo, Sw0rdofDamocles(2nd hit)

Domain16: tvrtinfo.com, whois, IPS 46.30.215.208(shared by 3,785 domains)
Registrar: One.com A/S
Registered: 2018-11-19 17:41:58
Updated: 2019-01-11 00:26:24
Expires: 2019-11-19 17:41:58
Site Status: taken offline
Traffic History: 40k in 2018-12, 132k in 2018-12, short-lived
Archives:
* 2018-11-29 first wayback, articles dated 11/26 to 11/28.
* 2018-12-16 last known online, 2nd article
Submissions: searchvoat
Submitters:
* 2018-12-10 17:34 Dragon40(14 days ) v/PoliticsNews
* 2018-12-14 11:07 ElfieJo(18 days) v/theawakening
* 2018-12-14 13:37 2912093(18 days) v/QRV
* 2018-12-26 13:42 TPTBNewsReviewer v/news
* 2018-12-26 20:58 Grindelwo v/Canada

Domain17: usapatriotsvoice.com, whois, IPS 46.30.215.197(shared by 3,955 domains)
Registrar: Ascio Tech
Registered: 2018-02-24
Updated: 2018-10-06
Expires: 2019-02-24
Site Status: still online on 2019-01-19, taken offline on 2019-01-21
Traffic History: peaked 85k in 2018-07, no traffic since 2018-09
Archives:
* 2018-03-03 first wayback
* 2018-07-21 archived fake news
* 2019-01-16 archived another fake news
Submissions: searchvoat
Submitters:
* 2018-07-16 11:50 elburrito v/IslamUnveiled
* 2018-07-16 17:34 Bfwilley v/FreePoliticalDisc
* 2018-07-18 10:07 Scrooblemeyer v/news
* 2018-07-18 10:08 Scrooblemeyer v/IslamUnveiled
* 2018-07-18 10:20 Scrooblemeyer v/IslamUnveiled
* 2018-07-18 13:08 2636879 v/Germany
* 2018-08-03 08:58 boekanier v/MuslimInvaders
* 2018-08-03 09:00 boekanier v/MuslimInvaders
* 2018-08-03 14:49 Tazzermalt v/atheism

Domain18: vtamedia.com, whois, IPS 46.30.213.6(shared by 8,312 domains, also by fergieinfo.com)
Registrar: Ascio Tech
Registered: 2018-03-21
Updated: 2018-10-04
Expires: 2019-03-21
Site Status: still online, taken offline on 2019-01-21
Traffic History: 13k in 2018-04, 19k 2018-10
Archives:
* 2019-01-16 fake news1
* 2019-01-16 fake news2

Domain19: classic2017.info, whois, IPS N/A
Registrar: GoDaddy.com, LLC
Registered: 2017-04-30
Updated: 2018-05-01
Expires: 2019-04-30
Site Status: taken offline
Traffic History: peaked 70k 2017-10, offline
Archives:
* 2017-05-21 first wayback
* 2017-09-22 wayback archived fake news, published on 2017-09-20; however, the actual video was published on 2014-01-13. Submission: searchvoat
Submitters:
* 2017-09-20 15:27 HarveyKlinger v/Denver
* 2017-09-20 16:09 Iknowtwomuch v/whatever

argosciv ago

Domain19: classic2017.info~

~HarveyKlinger

Again!

MadWorld ago

Haha, yeah...

I think there is too much data, within this submission. It would take some time to actually go through those domains.