Making Sense of Security

Securing your Digital World.

Making Sense of Security

Probing News Media Disinformation On COVID-19; WHOIS PressTV.com?

Investigative exercise illustrates how to map the infrastructure of suspicious websites

Jonathan Zhang, CEO at Whois XML API

Walnut, Calif. – Apr. 24, 2020

In spite of its tragic health, moral, and economic implications, the COVID-19 pandemic has become a rather lucrative business for cybercriminals. Various scammers have been attempting to trick panicking individuals into divulging their personal details or accessing malware-ridden websites in exchange for what they claim to be valid information.

While that’s disheartening, scams and disinformation are other types of threats that Netizens will have to pay attention to in the next few months. Considering the latter, how widespread could disinformation possibly be?

NewsGuard released an awareness tracker listing down news sites supposedly spreading disinformation about the ensuing pandemic. Like healthcare experts, NewsGuard urges people in search of updates about the virus to only rely on official websites such as that of the World Health Organization (WHO).

We do not intend to judge whether the listed sites are, in fact, spreading inaccurate details about the pandemic (a lot of content consumers may disagree with NewsGuard’s views and list). However, we thought that one’s ability to map out suspected sites’ IT networks may come in handy for a deeper perspective.

So, we decided to review the infrastructure of one of the listed sites — PressTV[.]com — to see what connections could be found.


Is PressTV.com spreading fake news about the novel Coronavirus pandemic?

WhoisXML API takes a look under the hood of this controversial media site


What We Learned from PressTV[.]com’s Infrastructure

For those who may not know, PressTV[.]com is a Tehran-based 24-hour English- and French-language news and documentary site affiliated with the Islamic Republic of Iran Broadcasting (IRIB). IRIB, meanwhile, is a government-owned media corporation founded in 1979 by Reza Ghotbi.

In the past, PressTV has been accused of breaching broadcasting rules (that’s according to Ofcom, U.K.’s communication regulator) and spreading political propaganda. Now, say you want to study the news site more closely and have access to domain intelligence tools like WHOIS Lookup. Here is what you would find looking at PressTV[.] com and irib[.]ir’s WHOIS record:

  • The WHOIS record details have been redacted for privacy, something unusual for a news agency. Bloomberg[.]com and foxnews[.]com, in comparison, both have their WHOIS record details public.
  • There isn’t much information in common between PressTV[.]com and irib[.]ir’s WHOIS records. The latter has a publicly viewable WHOIS record with “islamic republic of iran broadcasting” appearing as the registrant organization.

Let’s now consider the WHOIS records of three domains — PressTV[.]ir, PressTV[.]co[.]uk, PressTV[.]tv — which, according to PressTV[.]com, also host its published content.

  • A WHOIS Lookup query for PressTV[.]ir showed different details than those of PressTV[.]com. Actually, the .ir version shows the same information as that obtained earlier for irib[.]ir. When we tried to access PressTV[.]ir, however, we were redirected to PressTV[.]com automatically, so these two domains are indeed connected.
  • Meanwhile, our WHOIS Lookup query for PressTV[.]co[.]uk returned incomplete data, most likely because it was taken down.
  • The WHOIS Lookup query for PressTV[.]tv showed a privacy-protected WHOIS record as well. Interestingly, when we tried accessing the site, we found that Google Safe Browsing blocked it for potential phishing.

Still relying on domain intelligence tools, what are other ways to find domain names with close ties to a site of interest? By querying “presstv.com” in Reverse WHOIS Search, we found that the following domain names have the search term contained in their WHOIS records:

  • hdmiran[.]ir
  • iroonijat[.]ir
  • presstv[.]vg
  • q4t[.]tv
  • shop-presstv[.]com

Also, given PressTV[.]com’s name server ns1[.]presstv[.]ir (which we identified in our earlier WHOIS lookup query), we were able to obtain 23 more domains via Reverse NS Lookup:

  • hispan[.]net
  • hispan[.]org
  • hispantv[.]com
  • hispantv[.]net
  • hispantv[.]org
  • hispantv[.]ir
  • hausatv[.]com
  • htv[.]mx
  • hdmiran[.]ir
  • iktv[.]ir
  • ifilmtv[.]ir
  • ifilm[.]ir
  • ifilmtv[.]com
  • iranhdm[.]ir
  • irankalatv[.]ir
  • motv[.]ir
  • presstvdoc[.]org
  • ptv[.]io
  • presstvdoc[.]com
  • presstvdoc[.]net
  • q4t[.]tv
  • hispan[.]tv
  • radmedia[.]com

It’s possible to run follow-up WHOIS, reverse WHOIS, and reverse NS lookups on each of these domains to further map out PressTV’s IT infrastructure though doing so goes beyond the intent of this post. From what we can see above, the identified sites show that the news entity has a rather comprehensive network under the hood — with notable interest in Spanish-speaking communities as domain names like hispantv[.]com and hispantv[.]net tend to demonstrate.


Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth

Former White House CIO Theresa Payton’s new book


“Cybersecurity professionals should be versed in the criminal practice of typosquatting in order to fully protect their employees and organizations, especially now with the COVID-19 restrictions that have sent millions of workers home,” says Steve Morgan, founder of Cybersecurity Ventures and editor-in-chief at Cybercrime Magazine. “Cyber Fighters are inundated with a multitude of threats and will sometimes overlook the proactive measures they can take around the growing universe of malicious domains.”

Experts warned that coronavirus misinformation is dangerous, and so paying attention to facts from reliable sources is essential. While this post doesn’t intend to corroborate NewsGuard’s perspective on sites listed as potential spreaders of misinformation, our investigative exercise illustrates how one can go about mapping the infrastructure of suspicious sites.

Disinformation on the Internet, and related cybercrime, is rampant in the U.S.

“The public should be aware of a practice of promoting ‘gray news’ or what I refer to as ‘news or information laundering.’ Much like money laundering, a story with truths and then opinions or claims plant misinformation in the right places so that it gets picked up by other countries’ media — including our own. It’s hard to retrace it back to the original source without studying the digital tracks,” says former White House CIO and cybersecurity expert Theresa Payton.

“Gray market services or information laundering are built for both commercial or nonprofit purpose, many have good intentions and by the way, considered legal to deploy,” adds Payton, author of the book Manipulated. “In the hands of bad-faith actors, this tactic can, unfortunately, promote misinformation, propaganda, and manipulation campaigns. It just takes a few legitimate news accounts or social media accounts to repost and amplify the campaign.”

Whois XML API Archives


Sponsored by Whois XML API

Jonathan Zhang is the founder and CEO of WhoisXML API — a Domain & IP data intelligence provider that empowers all types of cyber-security enterprises to build better products and achieve greater network security with the most comprehensive domain, IP, DNS and cyber-threat intelligence feeds. WhoisXML API also offers a variety of APIs, tools, and capabilities, including Threat Intelligence Platform (TIP) and Domain Research Suite (DRS).

The post Probing News Media Disinformation On COVID-19; WHOIS PressTV.com? appeared first on Cybercrime Magazine.

* This article was originally published here
www.MakingSenseofSecurity.com