4 March 2024
A deep fake video of Maria Ressa promoting the crypto-currency scam “Bitcoin Method” was released on Facebook on 6 February 2024. The AI edited video was based on Ressa’s appearance in The Late Show with Stephen Colbert from November 2022, where she was invited to discuss her insights about Democracy and freedom and the danger of living in a world dominated by social media.
The computer generated voice is quite similar to Maria’s, but her lips do not match the words she says. Anyone familiar with Maria Ressa and her tireless and fearless struggle against the tyrants in power and towards press freedom in Philippines, knows that this is not her words. The Philippine government has for years tried to bring Ressa down by accusing her for tax fraud, tax evasion, receiving money from the Central Intelligence Agency as well as arrested her a number of times. Although Ressa has been acquitted from all charges, the accusations will stay with her, that is how disinformation works. A seed is planted when a lie is spread, and if it is repeated enough times, it becomes a fact. As Ressa herself describes disinformation “a lie told a million times becomes a fact”.
The same logic applies to this deep fake scam. Although it is unlikely to believe that Maria Ressa has made herself a fortune with Bitcoins, a seed has been planted that perhaps there is a glimpse of truth in that video. Perhaps the awarded and internationally known media mogul behind Rappler.com has not earned her position only by working hard as a journalist?
Despite the low quality of the deep fake, the video was promoted as an advertisement campaign in the Microsoft Network (MSN) targeting the Filipino audiences, with statements such as “The end for her?” and “Maria Ressa could be sued for her remarks on TV“.
The greatest challenge of disinformation is not the lies, but the lack of accountability of those that disseminate the fake information and the silence support from platform providers like META and others that profit from it and allows the disinformation to thrive.
Qurium has investigated the deep fake video in an attempt to figure out what forces that were behind this attempt to defamation and which actors that were involved.
Our findings are the following:
- In early February 2024 the domain name ultimainv{.}website was used to distribute fake look-like articles from CNN and Rappler and a fake video of Maria Ressa promoting the bitcoin{.}method.
- The articles were later promoted as Ads in the Microsoft Network in the Philippines using the title “The end for her?” with the motive to discredit Maria Ressa.
- Meta data of the fake video indicates Russian editors.
- An error during the preparation of the defamation campaign against the journalist leaked in the newly registered domain a webpage offering a “Handy Heater” linked to a defunct Russian company. The page was quickly replaced by the malicious pages that were intended as part of the campaign.
- The analysis of the different types of content of the domain ultimainv{.}website from January 2024 provides strong links with a network of malicious advertisers included in several cases of online fraud associated with ООО “МЕДИАР” (aka M1), a Russian CPA advertisement network.
Hence, Russian controlled infrastructure was used to set up the clone articles that featured the deepfake of Maria Ressa promoting Bitcoins. Although the deepfake video followed the rule book of a regular scam where a celebrity was used to promote Bitcoins, it was made by Russians, and disseminated to a Philippine audience to maligning Maria Ressa.
The plot – in detail
The case was reported to Qurium via the MSN advertisement (“The end for her?“) which included a link to the domain where the deep fake video was distributed (ultimainv{.}website) which also promoted the “Bitcoin Method” (bitcoinmethod{.}com).
The disinformation campaign against Ressa served the deep fake video in two fake articles (hosted under ultimainv{.}website) with the graphical appearance of Rappler.com and CNN Philippines. These fake articles were disseminated via Facebook.
Collecting evidence and mapping them out
Taking advantage of several forensic elements left in the video and on the website distributing the video and images, Qurium was able to reconstruct the timeline of the malicious campaign. In order to reconstruct the events we managed to obtain timestamps from the following sources:
- Domain registration data of ultimainv{.}website and bitcoinmethod{.}com used in the deep fake campaign
- Hosting information of domains ultimainv{.}website and bitcoinmethod{.}com
- Metadata of the PNG images 4.png 5.png 6.png 7.png from the CNN and Rappler clones
- Metadata from the Wistia Video platform left in the cloned websites
- Metadata left from the original articles scrapped from CNN and Rappler websites
Creation of images to be published on the clone articles of Rapper.com and CNN Philippines.
Registration of the domain name ultimainv.website. The following day the domain is flagged as malicious by URLScan.io.
The hosting of bitcoinmethod.com move from Amazon to Cloudflare to hide its backend and its owners.
Facebook page (ID 03322809538341) is created containing links to the cloned articles.
Rappler.com is scraped to create the clone article.
Deep fake video is uploaded to Wistia.
CNN Philippines is scraped to create the clone article. The clone is published on ultimainv.website.
Deep fake video is released on Facebook.
In a nutshell, the campaign was prepared from 28 November 2023 to 5 February 2024.
Metadata – signs of Russian influence
By studying the meta data of images and videos we have learned about the “attackers” geolocation. Metadata obtained from images on the clone websites (Rappler and CNN Philippines) include Cyrillic script and the timezone of the timestamps is GMT+3 (Moscow, St Petersburg). These are not conclusive proof, but solid indications.
Who hosts the deep fake video?
TD Globus Contract – a malicious advertisement network
Qurium obtained a cached copy of the content of ultimainv{.}website from the 25th January 2024 just before the website was modified to host the “Bitcoin Method” page with the fake video.
We also found out that the content of ultimainv{.}website matched a page hosted under the domain minpriceclub{.}com and a page hosted under promoshopmedia{.}com.
The original content of the domain was an advertisement of a “Handy Heater” by defunct Russian company TD Globus Contract with the fake company registration number (OGRN) 1161832052832.
The domain name ultimainv{.}website was registered to distribute fake clones of articles from Rappler.com and CNN Philippines released the 5th February 2024. However, one week earlier the website hosted content associated to the Russian companies ООО “ТД КОБУС КОНТРАКТ” and ООО “МЕДИАР” (aka M1.top).
What are TD Globus Contract and M1.top up to?
It turns out that the Russian companies TD Globus Contract and M1.top are involved in an online shopping scam. In a Russian reputation forum the modus operandi of these network of fraudsters is explained: the companies advertise products online and the payment and shipment of goods is arranged by phone. The victim of the fraud picks up the order at its local Postal Office and pays for the goods in person. In many cases, the packages are empty or contain a random low cost product.
Qurium managed to identify dozens of websites including ultimainv{.}website linked to the Russian company “TD Globus Contract” despite that the company is inactive in the company registry since December 10, 2019.
“TD Globus Contract” is not the only company used for the scams. In a few days we identified dozens of “ghost” entities, mostly Russian companies with bogus information associated to the cyberscam network.
Some of the scam websites also include fake European addresses and reuse VAT and Primary State Registration Numbers (PSRN).
M1.top – broker of TD Globus Contract
Qurium managed to collect more than 40 websites associated to “TD Globus Contract”. All of them contained Javascript code forwarding the name and phone number of the victims to api{.}m1.top. M1 is playing a brokering role in the scam network, hiding the malicious advertisers for scrutiny.
ultimainv{.}website api.m1.top/send_order/?ref=67558 product_id=8485 dubaijobservices{.}com api.m1.top/send_order/?ref=939454 product_id=13721 dz09{.}ru api.m1.top/send_order/?ref=253692 product_id=13379 horosho{.}ink api.m1.top/send_order/?ref=980800 product_id=9557 olivefood{.}ru api.m1.top/send_order/?ref=776256 product_id=10968 para-stet{.}info api.m1.top/send_order/?ref=257453 product_id=11212 periuta{.}shop api.m1.top/send_order/?ref=939454 product_id=12764 precioustta{.}netlify.app api.m1.top/send_order/?ref=965842 product_id=9852 sageyahgha{.}netlify.app api.m1.top/send_order/?ref=965842 product_id=8103 tagalongteddy{.}com api.m1.top/send_order/?ref=995399 product_id=13188 topshopkz{.}site api.m1.top/send_order/?ref=955398 product_id=7390 unique2{.}site api.m1.top/send_order/?ref=976966 product_id=13858 villarosaquincy{.}com api.m1.top/send_order/?ref=995399 product_id=13188 www{.}1veo.shop api.m1.top/send_order/?ref=939454 product_id=10112 www{.}brandcamp.store api.m1.top/send_order/?ref=990912 product_id=8864 www{.}fujicar1.ru api.m1.top/send_order/?ref=863220 product_id=8327 www{.}pultonic.ru api.m1.top/send_order/?ref=863220 product_id=9770 www{.}pultonik.ru api.m1.top/send_order/?ref=863220 product_id=9770 www{.}super-trimmer.site api.m1.top/send_order/?ref=990912 product_id=13066 www{.}svabra.tech api.m1.top/send_order/?ref=939454 product_id=14374 www{.}t-wirelessheadph.online api.m1.top/send_order/?ref=939454 product_id=13388 www{.}x-bionic-sale.ru api.m1.top/send_order/?ref=970507 product_id=9691 zhaksyshop{.}ink api.m1.top/send_order/?ref=980800 product_id=9557 dubaijobservices{.}com api.m1.top/send_order/?ref=939454 product_id=13721 dz09{.}ru api.m1.top/send_order/?ref=253692 product_id=13379 horosho{.}ink api.m1.top/send_order/?ref=980800 product_id=9557 olivefood{.}ru api.m1.top/send_order/?ref=776256 product_id=10968 para-stet{.}info api.m1.top/send_order/?ref=257453 product_id=11212 periuta{.}shop api.m1.top/send_order/?ref=939454 product_id=12764 precioustta{.}netlify.app api.m1.top/send_order/?ref=965842 product_id=9852 sageyahgha{.}netlify.app api.m1.top/send_order/?ref=965842 product_id=8103 tagalongteddy{.}com api.m1.top/send_order/?ref=995399 product_id=13188 topshopkz{.}site api.m1.top/send_order/?ref=955398 product_id=7390 unique2{.}site api.m1.top/send_order/?ref=976966 product_id=13858 villarosaquincy{.}com api.m1.top/send_order/?ref=995399 product_id=13188 www{.}1veo.shop api.m1.top/send_order/?ref=939454 product_id=10112 www{.}brandcamp.store api.m1.top/send_order/?ref=990912 product_id=8864 www{.}fujicar1.ru api.m1.top/send_order/?ref=863220 product_id=8327 www{.}pultonic.ru api.m1.top/send_order/?ref=863220 product_id=9770 www{.}pultonik.ru api.m1.top/send_order/?ref=863220 product_id=9770 www{.}super-trimmer.site api.m1.top/send_order/?ref=990912 product_id=13066 www{.}svabra.tech api.m1.top/send_order/?ref=939454 product_id=14374 www{.}t-wirelessheadph.online api.m1.top/send_order/?ref=939454 product_id=13388 www{.}x-bionic-sale.ru api.m1.top/send_order/?ref=970507 product_id=9691 zhaksyshop{.}ink api.m1.top/send_order/?ref=980800 product_id=9557
Once we understood that m1{.}top acted as an intermediary between the scam sites and their victims, we were able to find more domain names used by M1 as Postback URLs. In a nutshell, M1 provides a set of links so affiliates can gain commissions if specific actions take place.
In all the advertisements that we reviewed, including the sites of the “Bitcoin Method” and the “Handy Heater”, the scammers only collect Name and Phone Number of the victims. This information is then forwarded to M1 by means of an API (api.m1.top) where the next stage of the scam takes place.
A call-center gathers the personal data of the victim, confirms the sale and ships the product to the nearest postal office of the victim. Payment takes place when the package is collected from the Postal Office by means of “cash on the delivery”. The victim does not receive the ordered product but a low quality piece of junk or a bag of sawdust.
The role of M1
In this scenario, M1 is responsible to pay those that help out promoting the content and lead to new scam sales.
Affiliate Website (Publisher) -> M1.top (CPA) -> Advertisers.
In order to remain unaccountable for fraud, the fraud scheme includes three different roles:
- Affiliate Advertiser (Publisher): Promotes the goods and forwards the Names and Phone numbers of potential victims to M1. In their website they make clear that they just advertise goods and they are not responsible of anything related to the merchandise.
- M1 Shop (CPA): Receives the Names and Phone numbers from the publisher and hands over the information to the Advertiser. It is responsible to pay the Publishers for their “actions” and receives money from the Advertisers to play the intermediary role.
- Advertisers: They are responsible to create new offerings in the fraud network including nutrition goods (nutra) or cryptocurrency offers. They are responsible of delivering the goods or services to the clients.
For this type of fraud to be effective, advertisers identities need to be protected by M1-Shop and publishers needs to be constantly renewed once their reputation has been compromised.
Ultimately none takes responsibility for the fraud. The websites that promote the products are registered under fake companies and claim that they do not know the final product vendors, and the advertisement network claims that they do not monitor what is promoted in their platform etc. Something is guaranteed though, victims get scammed and everyone in their network gets paid for their “services”.
Tracking actions
The responsibility of M1 can be easily investigated by checking the products associated to the domains that M1 uses to track conversion data (aka Postback URLs). We looked into a dozen of domains associated to M1 postback URLs and all of them have been reported for frauds.
besttovarsale.com
luckysaleonline.com
magsh.site
nametovar.com
promoshopmedia.com
saleegood.com
saleegoods.com
shoparu.space
shopproduckt.com
theproductcool.com
tovar-promo.com
webonlinepromo.com
Kadam Advertisement and M1 Shop tutorial
To our surprise we discovered that the Kadam Advertisement Network has published a guide explaining how to promote products offered in the “M1 Shop”. The guide includes references to the domain nametovar{.}com where we found landing page for dozens of products promoted by “TD Globus Contract”.
Finding more domains
The fact that the URLs used by M1 for their promotions share similar patterns and that we found many of such domains hosted in ALTUSHOST B.V. (AS51430) helped us to find even more domains promoting products that are theoretically obtained when paid on delivery (collect on delivery).
213.5.70.57 2023-08-04 superonlineshoping.com 213.5.70.57 2023-06-01 neodvance.club 213.5.70.60 2022-07-28 mled.space 213.5.70.60 2022-05-23 optica-shop.online 213.5.70.60 2022-04-15 111auto.store 213.5.70.58 2022-06-05 zakazivay-online.xyz 213.5.70.131 2023-12-04 luckysalesonline.com 213.5.70.131 2023-11-19 lifeproducty.com 213.5.70.120 2022-08-30 milead.click 213.5.70.116 2023-05-12 minpriceclub.com 213.5.70.116 2022-05-12 zerkalo-videoregistrator-gps.ru 213.5.70.114 2023-11-03 pokupkionline.fun 213.5.70.114 2023-07-05 lemonhere.online 213.5.70.114 2022-01-18 goodnew.xyz 213.5.70.114 2021-12-22 onlineshop77.xyz 213.5.70.114 2021-12-20 we11-store.club 213.5.70.114 2021-12-17 forchildren.online 213.5.70.114 2021-12-03 best-goods1.xyz 213.5.70.114 2021-12-02 rgionh.xyz 213.5.70.114 2021-12-01 m1m1m1.xyz 213.5.70.113 2023-06-02 shoparu.space 213.5.70.113 2023-05-01 lifeproducti.com 213.5.70.113 2023-04-01 magsh.site
How geolocation was achieved?
The fake articles reassembling the look and feel of Rappler and CNN contained in multiple places links to the “Bitcoin Method” of the form:
https://ultimainv.website/?_lp=1&_token=uuid_3k1r3oh3uq25_3k1r3oh3uq2565c34afe377a18.76439029
There are two variables in the link _lp and _token that are often used when using the advertisement tracker “Keitaro”. Keitaro offers “geo location” features and it was likely used to provide geo fencing to the campaign.
According to Keitaro, M1 is one of their partners.
Conclusions
During the early February, the domain name ultimainv{.}website was used to distribute fake look-like articles from CNN and Rappler and a fake video of Maria Ressa promoting the bitcoin{.}method.
Such articles were then promoted as Ads in the Microsoft Network in the Philippines using the title “The end for her?”
An error during the preparation of the defamation campaign against the journalist leaked in the newly registered domain a webpage offering a “Handy Heater”. The page was quickly replaced by the malicious pages that were intended as part of the campaign.
The analysis of the different types of content of the domain ultimainv{.}website from January 2024 provides strong links with a network of malicious advertisers included in several cases of online fraud associated with ООО “МЕДИАР” (aka M1), a Russian CPA advertisement network.
Appendix 1: Details of timeline
Time | Event | Comment |
---|---|---|
28-November 2023 | Exif Data PNG | 5/6/7.png (CNN) 7.png (Rappler) |
30-November 2023 | Exif Data PNG | 4.png (CNN), 4/5/6.png (Rappler) |
10-January-2024 | ultimainv.website Registered | 2024-01-10T19:19:52.0Z |
11-January-2024 | Urlscan information | @ecarlesi flags page as malicious |
23-January-2024 | bitcoinmethod.com hosting change | Website moves from Amazon to Cloudflare |
24-January-2024 | Facebook Page Created | ID 03322809538341 |
25-January-2024 | Bing Cache copy of the page | contains popup-m1 / Riscaldatore portatile |
26-January 2024 | Rappler article scraped | content=”2024-01-26T11:00:00+00:00″ |
31-January-2024 | CNN Wistia Video Uploaded | uploadDate”:”2024-01-31T11:44:32.000Z” |
31-January-2024 | Rappler Wistia Video Uploaded | uploadDate”:”2024-01-31T11:44:32.000Z |
5-February 2024 | CNN article scraped | Published Feb 05, 2024, 1:21:20 PM |
5-February-2024 | CNN lander timestamp | contains lander/mary-rapler_1707133147 February 5, 2024 11:39:07 AM |
5-February-2024 | Facebook video released |
Media
[4 Mar 2024] Windows Report A scam network used a deepfake video of Maria Ressa to trick people
[3 Mar 2024] Nischad Manipulerad video av Maria Ressa sprids av potentiellt ryskt bluffnätverk
[3 Mar 2024] BNN Deepfake Video Targets Maria Ressa, Linked to Russian Scam Network, Engages Thousands
[5 Mar 2024] PressOne ALERT: Deep fake promotes crypto scam while discrediting Ressa
[3 Mar 2024] Rappler Russian scam network circulates Maria Ressa deepfake through Facebook, Microsoft’s Bing