A website mimicking the official BBC News site has garnered immense traffic earlier this week through false information about Charley Hebdo massacre and it is likely that the fake website may be a facade for cyber criminal activities, according to a report from a cybersecurity firm.
The identical website(bbc-news[.]co[.]uk) carried a fake story claiming the Charlie Hebdo attack was staged. The site gained immense traffic after it was promoted across social media. The traffic surged from zero to several thousand hits within an hour, which is an almost 16.5-time spike in normal DNS queries to the website, said OpenDNS, a cybersecurity firm in its forensic analysis.
The company noted that the approach is similar to the Boston Marathon bombings malicious cybercriminal activities.
“The campaign presented similar indicators as witnessed in spam email runs and rapidly constructed websites surrounding the Boston Marathon bombing. As the domain appeared (without deep investigation) to be associated with BBC and its brand, it is reasonable to assume that many more individuals could have been driven to the site. Once at the site, individuals could have been served malicious content, redirected to other more dangerous fraudulent sites, or unknowingly enlisted for click fraud purposes to name but a few.”
The story on the fraudulent website read:
“According to analysts, it appears that the footage was recorded over two takes, evidenced by a placement marker that appears by the front left wheel of the vehicle as the gunmen return from apparently gunning down a wounded Gendarme. The killing of the French policeman is also being called into question, due to the ‘lack of blood spatter consistent with that of a close range shooting’. As shown in the freeze frame below [no longer available], smoke is shown to emit from the weapon, with no impact or trauma appearing to register on the body of the victim. The decision of many news outlets to blur out the victim is being debated as evidence of complicity in what many are now calling a hoax.”
It further quoted the noted forensic and ballistics expert David Mayhew as saying, “If the video shows events as they actually occurred, then in my opinion it is most likely that the firearm shown is discharging blanks rather than conventional ammunition.”
External links within the article led to an Iranian state-sponsored media outlet. The website might be part of a malware-serving campaign with the Charlie Hebdo attack as bait for information-seeking users, said OpenDNS.
“One might conclude that, given the recent events surrounding Charlie Hebdo in Paris, the posting of disinformation on the site, and links to an Iranian state-sponsored news agency corroborating the same disinformation, that this was a State-executed, State-ordered, State-integrated, or State-rogue-conducted activity backed by Iran. Given all available information, however, this conclusion might be as inflammatory and misinformed as the campaign itself,” said OpenDNS.
They base their suggestion on the fact that the domain was first visible through two false Dec 31, 2014, tweets claiming apprehension of a “UK YouTuber” in the Middle East on terror charges, which was most probably a trial run for the campaign.
“We were unable to corroborate this story and found no reference to the event in question,” OpenDNS said.
This was followed by tweets in early January about announcements of a Cicada 3301 clue. Cicada posts complex puzzles to recruit capable cryptanalysts from the public. The puzzles are known to be one of the “Top 5 eeriest, unsolved mysteries of the Internet” by The Washington Post and test a person’s data security, cryptography, and stenography-related skills.
“Given the date that these tweets began, the owner of the…site likely counted on a flood of puzzle-playing people just waiting for another clue,” OpenDNS said.
Piecing the information together, it appears, “This very well could have been a campaign of test runs to see what type of SEO-like keywords, stories and links generated the most traffic to a seemingly reputable domain. Based on the success or failure of the test runs, the attacker could re-factor or move forward, respectively, with a more malicious campaign.”
At the moment, the bbc-news.co.uk domain is a redirection to a YouTube video titled as “The Yes Men Fix the World. The chances are fake site have been taken down after spreading the bogus story on Charlie Hebdo.
Still have doubts about this site? Read more on researcher’s website.