Category Archives: a little sunshine

This Service Helps Malware Authors Fix Flaws in their Code

Almost daily now there is news about flaws in commercial software that lead to computers getting hacked and seeded with malware. But the reality is most malicious software also has its share of security holes that open the door for security researchers or ne’er-do-wells to liberate or else seize control over already-hacked systems. Here’s a look at one long-lived malware vulnerability testing service that is used and run by some of the Dark Web’s top cybercriminals.

It is not uncommon for crooks who sell malware-as-a-service offerings such as trojan horse programs and botnet control panels to include backdoors in their products that let them surreptitiously monitor the operations of their customers and siphon data stolen from victims. More commonly, however, the people writing malware simply make coding mistakes that render their creations vulnerable to compromise.

At the same time, security companies are constantly scouring malware code for vulnerabilities that might allow them peer to inside the operations of crime networks, or to wrest control over those operations from the bad guys. There aren’t a lot of public examples of this anti-malware activity, in part because it wades into legally murky waters. More importantly, talking publicly about these flaws tends to be the fastest way to get malware authors to fix any vulnerabilities in their code.

Enter malware testing services like the one operated by “RedBear,” the administrator of a Russian-language security site called Krober[.]biz, which frequently blogs about security weaknesses in popular malware tools.

For the most part, the vulnerabilities detailed by Krober aren’t written about until they are patched by the malware’s author, who’s paid a small fee in advance for a code review that promises to unmask any backdoors and/or harden the security of the customer’s product.

RedBear’s profile on the Russian-language xss[.]is cybercrime forum.

RedBear’s service is marketed not only to malware creators, but to people who rent or buy malicious software and services from other cybercriminals. A chief selling point of this service is that, crooks being crooks, you simply can’t trust them to be completely honest.

“We can examine your (or not exactly your) PHP code for vulnerabilities and backdoors,” reads his offering on several prominent Russian cybercrime forums. “Possible options include, for example, bot admin panels, code injection panels, shell control panels, payment card sniffers, traffic direction services, exchange services, spamming software, doorway generators, and scam pages, etc.”

As proof of his service’s effectiveness, RedBear points to almost a dozen articles on Krober[.]biz which explain in intricate detail flaws found in high-profile malware tools whose authors have used his service in the past, including; the Black Energy DDoS bot administration panel; malware loading panels tied to the Smoke and Andromeda bot loaders; the RMS and Spyadmin trojans; and a popular loan scan script.

ESTRANGED BEDFELLOWS

RedBear doesn’t operate this service on his own. Over the years he’s had several partners in the project, including two very high-profile cybercriminals (or possibly just one, as we’ll see in a moment) who until recently operated under the hacker aliases “upO” and “Lebron.”

From 2013 to 2016, upO was a major player on Exploit[.]in — one of the most active and venerated Russian-language cybercrime forums in the underground — authoring almost 1,500 posts on the forum and starting roughly 80 threads, mostly focusing on malware. For roughly one year beginning in 2016, Lebron was a top moderator on Exploit.

One of many articles Lebron published on Krober[.]biz that detailed flaws found in malware submitted to RedBear’s vulnerability testing service.

In 2016, several members began accusing upO of stealing source code from malware projects under review, and then allegedly using or incorporating bits of the code into malware projects he marketed to others.

up0 would eventually be banned from Exploit for getting into an argument with another top forum contributor, wherein both accused the other of working for or with Russian and/or Ukrainian federal authorities, and proceeded to publish personal information about the other that allegedly outed their real-life identities.

The cybercrime actor “upO” on Exploit[.]in in late 2016, complaining that RedBear was refusing to pay a debt owed to him.

Lebron first appeared on Exploit in September 2016, roughly two months before upO was banished from the community. After serving almost a year on the forum while authoring hundreds of posts and threads (including many articles first published on Krober), Lebron abruptly disappeared from Exploit.

His departure was prefaced by a series of increasingly brazen accusations by forum members that Lebron was simply upO using a different nickname. His final post on Exploit in May 2017 somewhat jokingly indicated he was joining an upstart ransomware affiliate program.

RANSOMWARE DREAMS

According to research from cyber intelligence firm Intel 471, upO had a strong interest in ransomware and had partnered with the developer of the Cerber ransomware strain, an affiliate program operating between Feb. 2016 and July 2017 that sought to corner the increasingly lucrative and competitive market for ransomware-as-a-service offerings.

Intel 471 says a rumor has been circulating on Exploit and other forums upO frequented that he was the mastermind behind GandCrab, another ransomware-as-a-service affiliate program that first surfaced in January 2018 and later bragged about extorting billions of dollars from hacked businesses when it closed up shop in June 2019.

Multiple security companies and researchers (including this author) have concluded that GandCrab didn’t exactly go away, but instead re-branded to form a more exclusive ransomware-as-a-service offering dubbed “REvil” (a.k.a. “Sodin” and “Sodinokibi”). REvil was first spotted in April 2019 after being installed by a GandCrab update, but its affiliate program didn’t kick into high gear until July 2019.

Last month, the public face of the REvil ransomware affiliate program — a cybercriminal who registered on Exploit in July 2019 using the nickname “UNKN” (a.k.a. “Unknown”) — found himself the target of a blackmail scheme publicly announced by a fellow forum member who claimed to have helped bankroll UNKN’s ransomware business back in 2016 but who’d taken a break from the forum on account of problems with the law.

That individual, using the nickname “Vivalamuerte,” said UNKN still owed him his up-front investment money, which he reckoned amounted to roughly $190,000. Vivalamuerte said he would release personal details revealing UNKN’s real-life identity unless he was paid what he claims he is owed.

In this Google-translated blackmail post by Vivalamuerte to UNKN, the latter’s former nickname was abbreviated to “L”.

Vivalamuerte also claimed UNKN has used four different nicknames, and that the moniker he interacted with back in 2016 began with the letter “L.” The accused’s full nickname was likely redacted by forum administrators because a search on the forum for “Lebron” brings up the same post even though it is not visible in any of Vivalamuerte’s threatening messages.

Reached by KrebsOnSecurity, Vivalamuerte declined to share what he knew about UNKN, saying the matter was still in arbitration. But he said he has proof that Lebron was the principle coder behind the GandCrab ransomware, and that the person behind the Lebron identity plays a central role in the REvil ransomware extortion enterprise as it exists today.

Meant to Combat ID Theft, Unemployment Benefits Letter Prompts ID Theft Worries

Millions of Americans now filing for unemployment will receive benefits via a prepaid card issued by U.S. Bank, a Minnesota-based financial institution that handles unemployment payments for more than a dozen U.S. states. Some of these unemployment applications will trigger an automatic letter from U.S. Bank to the applicant. The letters are intended to prevent identity theft, but many people are mistaking these vague missives for a notification that someone has hijacked their identity.

So far this month, two KrebsOnSecurity readers have forwarded scans of form letters they received via snail mail that mentioned an address change associated with some type of payment card, but which specified neither the entity that issued the card nor any useful information about the card itself.

Searching for snippets of text from the letter online revealed pages of complaints from consumers who appear confused about the source and reason for the letter, with most dismissing it as either a scam or considering it a notice of attempted identity theft. Here’s what’s the letter looks like:

A scan of the form letter sent by U.S. Bank to countless people enrolling in state unemployment benefits.

My first thought when a reader shared a copy of the letter was that he recently had been the victim of identity theft. It took a fair amount of digging online to discover that the nebulously named “Cardholder Services” address in Florida referenced at the top of the letter is an address exclusively used by U.S. Bank.

That digging indicated U.S. Bank currently manages the disbursement of funds for unemployment programs in at least 17 states, including Arkansas, Colorado, Delaware, Idaho, Louisiana, Maine, Minnesota, Nebraska, North Dakota, Ohio, Oregon, Pennsylvania, South Dakota, Texas, Utah, Wisconsin, and Wyoming. The funds are distributed through a prepaid debit card called ReliaCard.

To make matters more confusing, the flood of new unemployment applications from people out of work thanks to the COVID-19 pandemic reportedly has overwhelmed U.S. Bank’s system, meaning that many people receiving these letters haven’t yet gotten their ReliaCard and thus lack any frame of reference for having applied for a new payment card.

Reached for comment about the unhelpful letters, U.S. Bank said it automatically mails them to current and former ReliaCard customers when changes in its system are triggered by a customer – including small tweaks to an address — such as changing “Street” to “St.”

“This can include letters to people who formerly had a ReliaCard account, but whose accounts are now inactive,” the company said in a statement shared with KrebsOnSecurity. “If someone files for unemployment and had a ReliaCard in years past for another claim, we can work with the state to activate that card so the cardholder can use it again.”

U.S. Bank said the letters are designed to confirm with the cardholder that the address change is valid and to combat identity theft. But clearly, for many recipients they are having the opposite effect.

“We encourage any cardholders who have questions about the letters to call the number listed on the back of their cards (or 855-282-6161),” the company said.

That’s nice to know, because it’s not obvious from reading the letter which card is being referenced. U.S. Bank said it would take my feedback under advisement, but that the letters were intended to be generic in nature to protect cardholder privacy.

“We are always seeking to improve our programs, so thank you for bringing this to our attention,” the company said. “Our teams are looking at ways to provide more specific information in our communications with cardholders.”

Tech Support Scam Uses Child Porn Warning

A new email scam is making the rounds, warning recipients that someone using their Internet address has been caught viewing child pornography. The message claims to have been sent from Microsoft Support, and says the recipient’s Windows license will be suspended unless they call an “MS Support” number to reinstate the license, but the number goes to a phony tech support scam that tries to trick callers into giving fraudsters direct access to their PCs.

The fraudulent message tries to seem more official by listing what are supposed to be the recipient’s IP address and MAC address. The latter term stands for “Media Access Control” and refers to a unique identifier assigned to a computer’s network interface.

However, this address is not visible to others outside of the user’s local network, and in any case the MAC address listed in the scam email is not even a full MAC address, which normally includes six groups of two alphanumeric characters separated by a colon. Also, the IP address cited in the email does not appear to have anything to do with the actual Internet address of the recipient.

Not that either of these details will be obvious to many people who receive this spam email, which states:

“We have found instances of child pornography accessed from your IP address & MAC Address.
IP Address: 206.19.86.255
MAC Address : A0:95:6D:C7

This is violation of Information Technology Act of 1996. For now we are Cancelling your Windows License, which means stopping all windows activities & updates on your computer.

If this was not You and would like to Reinstate the Windows License, Please call MS Support Team at 1-844-286-1916 for further help.

Microsoft Support
1 844 286 1916”

KrebsOnSecurity called the toll-free number in the email and was connected after a short hold to a man who claimed to be from MS Support. Immediately, he wanted me to type a specific Web addresses into my browser so he could take remote control over my computer. I was going to play along for a while but for some reason our call was terminated abruptly after several minutes.

These kinds of support scams are a dime a dozen, unfortunately. They prey mainly on elderly and unsophisticated Internet users, walking the frightened caller through a series of steps that allow the fraudsters to take complete, remote control over the system. Once inside the target’s PC, the scammer invariably finds all kinds of imaginary problems that need fixing, at which point the caller is asked for a credit card number or some form of payment and charged an exorbitant fee for some dubious service or software.

What seems new about this scam is the child porn angle, which I’m sure will worry quite a few recipients. I say this because over the past few weeks, someone has massively started sending the same type of sextortion emails that first began in earnest in the summer of 2018, and incredibly over the past few days I’ve received almost a dozen emails from readers wondering if they should be concerned or if they should pay the extortion demand.

Here’s a hard and fast rule: Never respond to spam, and certainly not to any email that threatens some negative consequence unless you respond. Doing otherwise only invites more spammy and scammy emails. On the other hand, I fully support the idea of tying up this scammer’s toll-free number with time-wasting calls.

When in Doubt: Hang Up, Look Up, & Call Back

Many security-conscious people probably think they’d never fall for a phone-based phishing scam. But if your response to such a scam involves anything other than hanging up and calling back the entity that claims to be calling, you may be in for a rude awakening. Here’s how one security and tech-savvy reader got taken for more than $10,000 in an elaborate, weeks-long ruse.

Today’s lesson in how not to get scammed comes from “Mitch,” the pseudonym I picked for a reader in California who shared his harrowing tale on condition of anonymity. Mitch is a veteran of the tech industry — having worked in security for several years at a fairly major cloud-based service — so he’s understandably embarrassed that he got taken in by this confidence scheme.

On Friday, April 17, Mitch received a call from what he thought was his financial institution, warning him that fraud had been detected on his account. Mitch said the caller ID for that incoming call displayed the same phone number that was printed on the back of his debit card.

But Mitch knew enough of scams to understand that fraudsters can and often do spoof phone numbers. So while still on the phone with the caller, he quickly logged into his account and saw that there were indeed multiple unauthorized transactions going back several weeks. Most were relatively small charges — under $100 apiece — but there were also two very recent $800 ATM withdrawals from cash machines in Florida.

If the caller had been a fraudster, he reasoned at the time, they would have asked for personal information. But the nice lady on the phone didn’t ask Mitch for any personal details. Instead, she calmly assured him the bank would reverse the fraudulent charges and said they’d be sending him a new debit card via express mail. After making sure the representative knew which transactions were not his, Mitch thanked the woman for notifying him, and hung up.

The following day, Mitch received another call about suspected fraud on his bank account. Something about that conversation didn’t seem right, and so Mitch decided to use another phone to place a call to his bank’s customer service department — while keeping the first caller on hold.

“When the representative finally answered my call, I asked them to confirm that I was on the phone with them on the other line in the call they initiated toward me, and so the rep somehow checked and saw that there was another active call with Mitch,” he said. “But as it turned out, that other call was the attackers also talking to my bank pretending to be me.”

Mitch said his financial institution has in the past verified his identity over the phone by sending him a one-time code to the cell phone number on file for his account, and then asking him to read back that code. After he hung up with the customer service rep he’d phoned, the person on the original call said the bank would be sending him a one-time code to validate his identity.

Now confident he was speaking with a representative from his bank and not some fraudster, Mitch read back the code that appeared via text message shortly thereafter. After more assurances that any additional phony charges would be credited to his account and that he’d be receiving a new card soon, Mitch was annoyed but otherwise satisfied. He said he checked his account online several times over the weekend, but saw no further signs of unauthorized activity.

That is, until the following Monday, when Mitch once again logged in and saw that a $9,800 outgoing wire transfer had been posted to his account. At that point, it dawned on Mitch that both the Friday and Saturday calls he received had likely been from scammers — not from his bank.

Another call to his financial institution and some escalation to its fraud department confirmed that suspicion: The investigator said another man had called in on Saturday posing as Mitch, had provided a one-time code the bank texted to the phone number on file for Mitch’s account — the same code the real Mitch had been tricked into giving up — and then initiated an outgoing wire transfer.

It appears the initial call on Friday was to make him think his bank was aware of and responding to active fraud against his account, when in actuality the bank was not at that time. Also, the Friday call helped to set up the bigger heist the following day.

Mitch said he and his bank now believe that at some point his debit card and PIN were stolen, most likely by a skimming device planted at a compromised point-of-sale terminal, gas pump or ATM he’d used in the past few weeks. Armed with a counterfeit copy of his debit card and PIN, the fraudsters could pull money out of his account at ATMs and go shopping in big box stores for various items. But to move lots of money out of his account all at once, they needed Mitch’s help.

To make matters worse, the fraud investigator said the $9,800 wire transfer had been sent to an account at an online-only bank that also was in Mitch’s name. Mitch said he didn’t open that account, but that this may have helped the fraudsters sidestep any fraud flags for the unauthorized wire transfer, since from the bank’s perspective Mitch was merely wiring money to another one of his accounts. Now, he’s facing the arduous task of getting identity theft (new account fraud) cleaned up at the online-only bank.

Mitch said that in retrospect, there were several oddities that should have been additional red flags. For one thing, on his outbound call to the bank on Saturday while he had the fraudsters on hold, the customer service rep asked if he was visiting family in Florida.

Mitch replied that no, he didn’t have any family members living there. But when he spoke with the bank’s fraud department the following Monday, the investigator said the fraudsters posing as Mitch had succeeded in adding a phony “travel notice” to his account — essentially notifying the bank that he was traveling to Florida and that it should disregard any geographic-based fraud alerts created by card-present transactions in that region. That would explain why his bank didn’t see anything strange about their California customer suddenly using his card in Florida.

Also, when the fake customer support rep called him, she stumbled a bit when Mitch turned the tables on her. As part of her phony customer verification script, she asked Mitch to state his physical address.

“I told her, ‘You tell me,’ and she read me the address of the house I grew up in,” Mitch recalled. “So she was going through some public records she’d found, apparently, because they knew my previous employers and addresses. And she said, ‘Sir, I’m in a call center and there’s cameras over my head. I’m just doing my job.’ I just figured she was just new or shitty at her job, but who knows maybe she was telling the truth. Anyway, the whole time my girlfriend is sitting next to me listening to this conversation and she’s like, ‘This sounds like bullshit.'”

Mitch’s bank managed to reverse the unauthorized wire transfer before it could complete, and they’ve since put all the stolen funds back into his account and issued a new card. But he said he still feels like a chump for not observing the golden rule: If someone calls saying they’re from your bank, just hang up and call them back — ideally using a phone number that came from the bank’s Web site or from the back of your payment card. As it happened, Mitch only followed half of that advice.

What else could have made it more difficult for fraudsters to get one over on Mitch? He could have enabled mobile alerts to receive text messages anytime a new transaction posts to his account. Barring that, he could have kept a closer eye on his bank account balance.

If Mitch had previously placed a security freeze on his credit file with the three major consumer credit bureaus, the fraudsters likely would not have been able to open a new online checking account in his name with which to receive the $9,800 wire transfer (although they might have still been able to wire the money to another account they controlled).

As Mitch’s experience shows, many security-conscious people tend to focus on protecting their online selves, while perhaps discounting the threat from less technically sophisticated phone-based scams. In this case, Mitch and his bank determined that his assailants never once tried to log in to his account online.

“What’s interesting here is the entirety of the fraud was completed over the phone, and at no time did the scammers compromise my account online,” Mitch said. “I absolutely should have hung up and initiated the call myself. And as a security professional, that’s part of the shame that I will bear for a long time.”

Further reading:

Voice Phishing Scams are Getting More Clever
Why Phone Numbers Stink as Identity Proof
Apple Phone Phishing Scams Getting Better
SMS Phishing + Cardless ATM = Profit

Who’s Behind the “Reopen” Domain Surge?

The past few weeks have seen a large number of new domain registrations beginning with the word “reopen” and ending with U.S. city or state names. The largest number of them were created just hours after President Trump sent a series of all-caps tweets urging citizens to “liberate” themselves from new gun control measures and state leaders who’ve enacted strict social distancing restrictions in the face of the COVID-19 pandemic. Here’s a closer look at who and what appear to be behind these domains.

A series of inciteful tweets sent by President Trump on April 17, the same day dozens of state-themed “reopen” domains were registered — mostly by conservative groups and gun rights advocates.

KrebsOnSecurity began this research after reading a fascinating Reddit thread over the weekend on several “reopen” sites that seemed to be engaged in astroturfing, which involves masking the sponsors of a message or organization to make it appear as though it originates from and is supported by grassroots participants.

The Reddit discussion focused on a handful of new domains — including reopenmn.com, reopenpa.com, and reopenva.com — that appeared to be tied to various gun rights groups in those states. Their registrations have roughly coincided with contemporaneous demonstrations in Minnesota, California and Tennessee where people showed up to protest quarantine restrictions over the past few days.

A “reopen California” protest over the weekend in Huntington Beach, Calif. Image: Reddit.

Suspecting that these were but a subset of a larger corpus of similar domains registered for every state in the union, KrebsOnSecurity ran a domain search report at DomainTools [an advertiser on this site], requesting any and all domains registered in the past month that begin with “reopen” and end in “.com.”

That lookup returned approximately 150 domains; in addition to those named after the individual 50 states, some of the domains refer to large American cities or counties, and others to more general concepts, such as “reopeningchurch.com” or “reopenamericanbusiness.com.”

Many of the domains are still dormant, leading to parked pages and registration records obscured behind privacy protection services. But a review of other details about these domains suggests a majority of them are tied to various gun rights groups, state Republican Party organizations, and conservative think tanks, religious and advocacy groups.

For example, reopenmn.com forwards to minnesotagunrights.org, but the site’s WHOIS registration records (obscured since the Reddit thread went viral) point to an individual living in Florida. That same Florida resident registered reopenpa.com, a site that forwards to the Pennsylvania Firearms Association, and urges the state’s residents to contact their governor about easing the COVID-19 restrictions.

Reopenpa.com is tied to a Facebook page called Pennsylvanians Against Excessive Quarantine, which sought to organize an “Operation Gridlock” protest at noon today in Pennsylvania among its 68,000 members.

Both the Minnesota and Pennsylvania gun advocacy sites include the same Google Analytics tracker in their source code: UA-60996284. A cursory Internet search on that code shows it also is present on reopentexasnow.comreopenwi.com and reopeniowa.com.

More importantly, the same code shows up on a number of other anti-gun control sites registered by the Dorr Brothers, real-life brothers who have created nonprofits (in name only) across dozens of states that are so extreme in their stance they make the National Rifle Association look like a liberal group by comparison.

This 2019 article at cleveland.com quotes several 2nd Amendment advocates saying the Dorr brothers simply seek “to stir the pot and make as much animosity as they can, and then raise money off that animosity.” The site dorrbrotherscams.com also is instructive here.

A number of other sites — such as reopennc.com — seem to exist merely to sell t-shirts, decals and yard signs with such slogans as “Know Your Rights,” “Live Free or Die,” and “Facts not Fear.” WHOIS records show the same Florida resident who registered this North Carolina site also registered one for New York — reopenny.com — just a few minutes later.

Merchandise available from reopennc.com.

Some of the concept reopen domains — including reopenoureconomy.com (registered Apr. 15) and reopensociety.com (Apr. 16) — trace back to FreedomWorks, a conservative group that the Associated Press says has been holding weekly virtual town halls with members of Congress, “igniting an activist base of thousands of supporters across the nation to back up the effort.”

Reopenoc.com — which advocates for lifting social restrictions in Orange County, Calif. — links to a Facebook page for Orange County Republicans, and has been chronicling the street protests there. The messaging on Reopensc.com — urging visitors to digitally sign a reopen petition to the state governor — is identical to the message on the Facebook page of the Horry County, SC Conservative Republicans.

Reopenmississippi.com was registered on April 16 to In Pursuit of LLC, an Arlington, Va.-based conservative group with a number of former employees who currently work at the White House or in cabinet agencies. A 2016 story from USA Today says In Pursuit Of LLC is a for-profit communications agency launched by billionaire industrialist Charles Koch.

Many of the reopen sites that have redacted names and other information about their registrants nevertheless hold other clues, mainly based on precisely when they were registered. Each domain registration record includes a date and timestamp down to the second that the domain was registered. By grouping the timestamps for domains that have obfuscated registration details and comparing them to domains that do include ownership data, we can infer more information.

For example, more than 50 reopen domains were registered within an hour of each other on April 17 — between 3:25 p.m. ET and 4:43 ET. Most of these lack registration details, but a handful of them did (until the Reddit post went viral) include the registrant name Michael Murphy, the same name tied to the aforementioned Minnesota and Pennsylvania gun rights domains (reopenmn.com and reopenpa.com) that were registered within seconds of each other on April 8.

A large number of “reopen” domains were registered within the same one-hour period on April 17, and tie back to the same name used in the various reopen domains connected to gun rights groups. A link to the spreadsheet where this screen shot is drawn from is included below.

A Google spreadsheet documenting much of the domain information sourced in this story is available here.

No one responded to the email addresses and phone numbers tied to Mr. Murphy, who may or may not have been involved in this domain registration scheme. Those contact details suggest he runs a store in Florida that makes art out of reclaimed or discarded items.

Update, April 21, 6:40 a.m. ET: Mother Jones has published a compelling interview with Mr. Murphy, who says he registered thousands of dollars worth of “reopen” and “liberate” domains to keep them out of the hands of people trying to organize protests. KrebsOnSecurity has not be able to validate this report, but it’s a fascinating twist to this tale: How an ‘Old Hippie’ Got Accused of Astroturfing the Right-Wing Campaign to Reopen the Economy

Update, April 22, 1:52 p.m. ET: Mr. Murphy told Jacksonville.com he did not register reopenmn.com or reopenpa.com, contrary to data in the spreadsheet linked above. I looked up each of the records in that spreadsheet manually, but did have some help from another source in compiling and sorting the information. It is possible the registration data for those domains got transposed with reopenmd.com and reopenva.com, which included Mr. Murphy’s information prior to being redacted by the domain registrar.

Original story:

As much as President Trump likes to refer to stories critical of him and his administration as “fake news,” this type of astroturfing is not only dangerous to public health, but it’s reminiscent of the playbook used by Russia to sow discord, create phony protest events, and spread disinformation across America in the lead-up to the 2016 election.

This entire astroturfing campaign also brings to mind a “local news” network called Local Government Information Services (LGIS), an organization founded in 2018 which operates a huge network of hundreds of sites that purport to be local news sites in various states. However, most of the content is generated by automated computer algorithms that consume data from reports released by U.S. executive branch federal agencies.

The relatively scarce actual bylined content on these LGIS sites is authored by freelancers who are in most cases nowhere near the localities they cover. Other content not drawn from government reports often repurpose press releases from conservative Web sites, including gunrightswatch.com, taxfoundation.org, and The Heritage Foundation. For more on LGIS, check out the 2018 coverage from The Chicago Tribune and the Columbia Journalism Review.