Part 1: Spreading disinformation by cloning news sites

November 2020

La Nueva Prensa, known for its independent investigative reporting, often focusing on corruption and links between politics and drug cartels, noticed in October 2020 that a clone of their website had appeared on the Internet. Around the same time, Los Danieles, a popular column run by three prestigious journalists, noticed that their site had been cloned as well. The impostors used identical layouts and similar domain names as the original sites, but altered the content and used the medias good reputation to spread political disinformation. The fake websites publish news supporting the right-wing, often focusing on Álvaro Uribe, ex-president of Colombia, in the name of the legitimate news outlets, using the name of their journalists.

This report focuses following the digital footprints of the impostors, to reveal the identity of the attacker.

The clones

The clones of La Nueva Prensa and Los Danieles use similar domain names as the legit news sites, just changing the TLD.

LegitClone
lanuevaprensa.com.colanuevaprensa{.}net
losdanieles{.}comlosdanieles{.}net

The design of the clones are exact copies of the legit sites.

  • Image 1: Clone of Los Danieles
  • Image 2: Clone of La Nueva Prensa

The location of the clones – where are they hosted?

The domain name of LosDanieles clone was registered on June 29, 2020, and the domain of the La Nueva Prensa’s clone was registered on July 18, 2020. Both domains used for the clones are registered with the registrar Namecheap.

Historical records of La Nueva Prensa’s clone domain (lanuevaprensa{.}net), shows that it has been hosted in banahosting.com, a hosting provider with servers inside Server Central Network (AS23352).

Both clones’ domains declare a mail SPF record of the form:

"v=spf1 +a +mx include:relay.mailchannels.net ~all"

Both domains use Inmunify360 to protect their websites (WordPress) from application layer attacks. It seems as the two domains have a few things in common. Let’s see if we can find more similarities…

The location of the Los Danieles clone (losdanieles{.}net) is hidden behind Cloudflare that proxies the traffic and hides where the real server is hosted.

Knowing that the La Nueva Prensa clone (lanuevaprensa{.}net) is hosted in Server Central Network, we looked into all networks announced by the company, specifically those networks used for hosting customers.

Image 3: https://bgp.he.net/AS23352#_prefixes

Using the service censys.io we searched for addresses with the “imunify360 webshield 1.8” captcha inside Server Central and discovered that the IP address 66.225.201{.}72 was returning a Let’s encrypt SSL certificate with the domain losdanieles{.}net. Hence, the hidden backend of LosDanieles clone is also hosted in Server Central. A coincidence…? 

 depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
 verify return:1
 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 verify return:1
 depth=0 CN = losdanieles.net
 verify return:1
 Certificate chain
  0 s:/CN=losdanieles.net
    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 -----BEGIN CERTIFICATE-----
 MIIFgDCCBGigAwIBAgISA2F2B8Ec1NNxoN2mk1RfaGDcMA0GCSqGSIb3DQEBCwUA
 MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
 ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDEwMjQwNjA0MDlaFw0y
 MTAxMjIwNjA0MDlaMBoxGDAWBgNVBAMTD2xvc2RhbmllbGVzLm5ldDCCASIwDQYJ
 KoZIhvcNAQEBBQADggEPADCCAQoCggEBALOdXNcm04arXO9JEs5HJ2WothKL+ByN
 YtY9ja2WeUXyUqE0iZ3knI5qRxRfR7MJcKwg3vEbCMoMgqOAd6E/rIs4VWX0Saic
 cowc1bUND3lzKyh+Ni2/hzL5LpGlTxDcd1QduJMSLXJPzUP3oLt0QX7AwciQAdkb
 LNAKdqoGZGs4R6c3sMRvGHLpI4aqYUQF/WBSj1JBNE3heMmY9yICxHGzgdYauGIi
 vbkSHm5kXoT5LNy9mzm8Rgu0hdZWAV3dtbb5EpwP2a4snO+VjdN73qQZhxLZJyFY
 bE84+RHf3+BzAACuhCuX8bJMkayEXecNRYGiy0k8L1hBRdFBDhBVbp0CAwEAAaOC
 Ao4wggKKMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
 BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUOMFT551OphiXssqDLcIDjcdE
 k2QwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE
 YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu
 b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu
 b3JnLzBFBgNVHREEPjA8gg9sb3NkYW5pZWxlcy5uZXSCFG1haWwubG9zZGFuaWVs
 ZXMubmV0ghN3d3cubG9zZGFuaWVsZXMubmV0MEwGA1UdIARFMEMwCAYGZ4EMAQIB
 MDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2Vu
 Y3J5cHQub3JnMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHYAXNxDkv7mq0VEsV6a
 1FbmEDf71fpH3KFzlLJe5vbHDsoAAAF1WWv5KwAABAMARzBFAiA1svPPAuD2C3+J
 PlTaVqi7MMn76pyOdYNSgvwofYBN5AIhAOaqiCa6nVUE1BzU/p3wcOrnW7pikEN3
 GqgMCTecpV10AHUAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAF1
 WWv5cAAABAMARjBEAiARUBP+bRunYbxa/dtMkAqel7bLaNK4VwkATjjCAOCARQIg
 KxXXp/Yw/q5C7kUifdeDottzfd9l7HwkHSJriN7EyYowDQYJKoZIhvcNAQELBQAD
 ggEBABhy684ngX6QnwnVGi7jW5HeXNWv/Ee8nfFeX3xOhiQu32URCTVVF0APG4nP
 LldJh1eP5PUkLVigrpJVSthKzdQHfBNSjhm/XdmwaHOGrVd/KjPhgw8SXQvkMXqQ
 eCiSZ1qSiYq1uKQ2xxcYKO2nMRJiO9x7yIUM9m8iP6nUrnOz1zIMJ/NP+aHyxoYX
 YkKejFWDz5tu6Lc2BknyK1QjX9KP2XRLxhXDf9VemSayP/vniWegTlr0abCCwEvP
 m2iGUh2e6qo+FcRva4kvus1SdzbyH96tCIyrLzhsdo7HK41S1Vd/5akC97n4fqgT
 Lcq2wwOYWgYWza2QCOpLUJjgP/s=
 -----END CERTIFICATE-----

When looking into what is hosted in the 66.225.201.0/24 IP range we found that the network hosts machines from “Banahosting”. Using reverse DNS and historical SSL data we found that the domain “tequieroperro{.}com” has been hosted in a pool of suspicious addresses in Server Central (66.225.201{.}67-78) with reverse DNS priva60.privatednsorg.com.

Image 4:

Twitter fake news amplification

While searching for more clues that could lead us to the people behind the clones, we started to look into which Twitter handles that were disseminating the fake news coming from the clone of La Nueva Prensa (lanuevaprensa{.}net). We found that fake articles were promoted by the Twitter account “@lanuevaprensa_” . One Twitter account was specifically active retweeting everything sourced by the fake Twitter account, namely @Dr__Fausto.

  • Image 5: Doctor Fausto (@Dr_Fausto) is frequently retweeting the messages from the fake Twitter account of La Nueva Prensa.
  • Image 6: Twitter profile of Doctor Fausto links the account holder to HPS.com.co.

The @Dr__Fausto Twitter account refers to the domain name hps.com{.}com, which was a new piece of information to us. We looked into the historical records of the domain name using Farsight Security passive DNS records. We found that the website was pointing to 66.225.201{.}71 inside of the priva60 servers in Server Central. Another piece of the puzzle pointing to Server Central Networks.

We also found that hps.com.co is associated to the domain name servers noticiasmanizales.com, reputacion.guru with hundreds of domains in the same hosting network. The piece of information is the beginning of Part 3 of this investigation – A Decade of Phishing. 

  2016-12-02 05:15:07 -0000, 2017-04-21 02:10:05 -0000,hps.com.co. IN NS ns1.reputacion.guru.,0,0
  2016-12-02 05:15:08 -0000, 2017-04-18 13:16:16 -0000,hps.com.co. IN A 37.48.93.196, AS60781 Netherlands, NL, Netherlands
  2016-12-02 05:15:08 -0000, 2017-04-18 13:16:16 -0000,hps.com.co. IN NS ns1.reputacion.guru.,0,0
  2016-12-08 01:06:16 -0000, 2017-04-18 12:09:03 -0000,hps.com.co. IN SOA ns1.reputacion.guru. brandco2014.gmail.com. 2016112203 3600 7200 1209600 86400,0,0
  2017-04-21 07:00:18 -0000, 2020-02-10 19:33:47 -0000,hps.com.co. IN NS ns1.noticiasmanizales.com.,0,0
  2017-04-21 08:46:57 -0000, 2017-08-01 22:41:54 -0000,hps.com.co. IN SOA ns1.noticiasmanizales.com. seothebest2015.gmail.com. 2017042105 3600 7200 1209600 86400,0,0
  2017-04-21 08:46:57 -0000, 2020-02-10 19:33:47 -0000,hps.com.co. IN NS ns1.noticiasmanizales.com.,0,0
  2017-08-02 16:06:10 -0000, 2017-10-29 22:26:35 -0000,hps.com.co. IN SOA ns1.noticiasmanizales.com. servers.privatednsorg.com. 2017080105 86400 7200 1600000 86400,0,0
  2017-10-30 02:22:12 -0000, 2018-02-20 13:05:21 -0000,hps.com.co. IN SOA ns1.noticiasmanizales.com. servers.privatednsorg.com. 2017102902 86400 7200 1600000 86400,0,0
  2018-02-22 01:01:37 -0000, 2018-02-26 09:19:23 -0000,hps.com.co. IN SOA ns1.noticiasmanizales.com. servers.privatednsorg.com. 2018022100 86400 7200 1600000 86400,0,0
  2018-02-26 15:50:03 -0000, 2020-02-10 19:33:47 -0000,hps.com.co. IN SOA ns1.noticiasmanizales.com. admin.privatednsorg.com. 2018022608 86400 7200 1600000 86400,0,0
  2020-05-10 15:06:29 -0000, 2020-05-10 15:06:29 -0000,dc-f10ac24a2044.hps.com.co. IN A 66.225.201.71, AS23352 Server Central Network, US, United States

Findings & Conclusions

Overview of the clones hosting situation and relation to each other.

There are some interesting forensic findings:

  • Both clones are hosted in Server Central
  • The clone of Los Danieles (66.225.215{.}72) and HPS (66.225.215{.}71) are both hosted in Priva60. HPS is connected to the Twitter handle @Dr__Fausto that promotes fake news from La Nueva Prensa’s clone via the fake Twitter account @lanuevaprensa_ .
  • Both domains losdanieles{.}net and hps.com{.}co share Cloudflare DNS servers: clay and gina.ns.cloudflare.com
  • The domain name hps.com.co is associated to the domain name servers noticiasmanizales.com, reputacion.guru, serving hundreds of domains in the same hosting network.

There are good reasons to believe that the people behind the clone of Los Danieles are related to HPS. It is also not far fetched to believe that the same group of people are behind both clones.