“Fishwrap”: Watch Out for This Cyber Threat on Social Media

Globe connectionsRecorded Future has published their latest research, titled “The Discovery of Fishwrap: A New Social Media Information Operation Methodology“. In the report, author Staffan Truvé discusses Recorded Future’s foray into the detection and analysis of influence operations, both by nation states and other actors. As established by RAND Corporation, influence operations (also known as information operations and warfare), is defined as the “collection of tactical information about an adversary, as well as the dissemination of propaganda in pursuit of a competitive advantage over an opponent.”

From the report, the “fishwrap” technique “recycles old news about terror incidents by publishing them to appear as new. […] This operation is also using a special family of URL shorteners that allow attackers to track click-through from social media posts used in their campaigns.” Many may associate influence operations with the very prevalent term of “fake news”. While this is true to some degree, Recorded Future also explicitly notes that real news is used, too, to cultivate particular opinions in the targeted audience.

Recorded Future provides seven Key Findings from the report, which are summarized below:

  • Recorded Future has developed new algorithms which can detect “seed accounts”, and analyze both the seed and additional accounts that are involved in an influence operation.
  • Behavioral analytics derived from topological methodologies can form the foundation for an analysis that clusters the highest-likelihood participants with the highest degree of similarity.
  • Based on the new algorithm, Recorded Future has discovered Fishwrap, a methodology in which old terror news masquerades as new.
  • Recorded Future analyzed 215 social media accounts that were using the Fishwrap technique.
  • The 215 accounts use a particular kind of associated but different URL shortener services, which track the effectiveness of the operation. These services run the same code, and are hosted on the same commercial infrastructure.
  • Based on the behavioral similarity of the accounts, Recorded Future believes they are all part of the same influence operation.
  • Recorded Future’s research is ongoing – attribution is challenging since account holders are seemingly fictive and the URL shortener services have anonymous registrations.

The HSDL offers many additional resources related to Cyber Crime and National Security, as well as Cyber Infrastructure Protection. Please note: HSDL login is required to view some of these resources.

Need help finding something? Ask one of our librarians for assistance!