https://www.qurium.org/forensics/dark-ops-undercovered-episode-i-eliminalia/ Back home * About + Team + Governance board + Our Values + Our pillars - PMA + Code of Conduct + Contact + Memberships + History + Job offerings o Pentester and code auditor o Senior Network Engineer o Software developer * Services + Secure Hosting + Bifrost + Secure hosting and communication services (GDPR) + Other Services * FAQ + FAQ + How to migrate to VirtualRoad.org? + How can I get a quote? + In which countries are you working? + What makes VirtualRoad.org unique? + Comparison with similar initiatives + Support o How to support VirtualRoad.org? o Donors o Supporters * Bifrost + What is Bifrost? + Apply + FAQ + Banners * Digital forensics + Afghanistan + Azerbaijan + Belarus + Colombia + Congo (DRC) + Cuba + El Salvador + Egypt + France + Iran + Jordan + Kazakhstan + Kyrgyzstan + Myanmar + Nigeria + South Sudan + Spain + Sri Lanka + Philippines + Turkmenistan + Togo + Uganda + Uzbekistan + Vietnam + Zimbabwe * Fighters + #1: Khalid Abdel-Hadi, Jordan + #2: Rafael Marques de Morais, Angola + #3: Ganimat Zahid, Azerbaijan + #4: Ronalyn Olea, Philippines + #5: Khalid Ibrahim, Lebanon + #6 Uvindu Kurukulasuriya, Sri Lanka + #7 Albertine Watchdog, Uganda + #8 Vi Tran, Vietnam + #9 Diana Salinas, Colombia + #11 Tor Madira, South Sudan + #10 Rinat Tuhvatshin, Kyrgyzstan + #12 Orus Villacorta, El Salvador + #13 Cristina Palabay, Pilippines + #14 Arzu Geybulla, Azerbaijan + #15 John Githongo, Kenya * Press Releases * Rapid Response * IGLOO * Dark Ops Undercovered + Episode I - Eliminalia + Episode II - Eliminalia [banner_padlock1-1920x300] Home >> Forensics >> Dark Ops Undercovered: Episode I - Eliminalia Dark Ops Undercovered: Episode I - Eliminalia in Forensics --------------------------------------------------------------------- 12 April, 2021 Since November 2020, Qurium has received several mails from fake lawyers asking us to remove articles related to corruption in Angola involving Isabel dos Santos or Vincent Miclet. Two of the investigative websites that Qurium hosts, Maka Angola and The Elephant have been targeted by such content take-down campaigns. In all cases, the mails have came from legal firms claiming copyright (DMCA) or data protection legislation (GDPR), asking us to remove the content of a certain page or pages without revealing the concrete identity of the person that is paying for their legal services. It is not a coincidence that Maka Angola and The Elephant are targets of this campaign. These investigative media outlets are run by two renounced and international awarded anti-corruption champions, Rafael Marques Morais and John Githongo. These men have dedicated their lives to fight corruption within the elite in their respective countries. During the past months, Qurium has exchanged dozens of e-mails with different "lawyers" so as to try to identify who runs these campaigns and what infrastructure is in place to support this kind of business. This first report summarizes some of our findings and explains how DMCA and data protection regulation such as GDPR are systematically abused to hinder the freedom of the press when investigating corruption or abuses of power. --------------------------------------------------------------------- In the name of GDPR and the EU Commission One of these fake emails, was sent to one of our providers in the Netherlands (XS4ALL) in February 2021. The mail was sent to their abuse department from the domain abuse-report{.}eu claiming to be from the Legal Department of the Brussels EU Commission. [image-5] The mail was sent by "Raul Soto" including the address of a Regus Office in Brussels. The Office name is "Regus Brussels EU Commission" as it happens to be in front of one of the EU Commission's buildings (sneaky!) The most interesting part of this e-mail, is the information that can be extracted from the mail headers, which includes the path that the mail took from sender to receiver. The headers show that the fake mail was sent from an Ukrainian IP address: 62.244.51{.}52 using a server from OVH in France. Received: from player690.ha.ovh.net (unknown [10.108.42.88]) by mo4.mail-out.ovh.net (Postfix) with ESMTP id 5F72826786D for i-----------@xs4all.net; Tue, 23 Feb 2021 14:42:37 +0100 (CET) Received: from abuse-report.eu (unknown [62.244.51{.}52]) (Authenticated sender: italy@abuse-report.eu) by player690.ha.ovh.net (Postfix) with ESMTPSA id B95541B3DC37B; Tue, 23 Feb 2021 13:42:35 +0000 (UTC) X-VR-Spamscore: 5 Delivered-To: i-------------@------.xs4all.net X-Mailer: Microsoft Outlook 16.0 X-Original-To: i------------@------.xs4all.net [image-6]Not all domains under the TLD EU can be trusted... The domain (abuse-report.eu), registered in September 2020, seems to be registered for the only purpose to send fake GDPR (data protection) complaints. The domain lacks website and other contact details. After checking what was hosted in the Ukrainian IP address, we quickly found that the company Eliminalia was behind the fake setup. Badly configured services show the name "ELIMINALIA KIEV" and " ELIMINALIA BCN" in both Censys and Shodan. [image-7] Eliminalia is registered as a company in Spain (Eliminalia 2013 SLU), Maidan Holding/Eliminalia USA LLC in Florida (USA) and in Ukraine. All of these companies have Diego (Didac) Sanchez Jimenez/Gimenez as director. [image-8] When looking into the Internet infrastructure of Eliminalia in Ukraine, we found that several of their servers are in the range 62.244.51.50 - 62.244.51.58. Within this IP range it can be found: 62.244.51.50 Eliminalia BCN 62.244.51.51 INTERFIV (aka Subrogalia) 62.244.51.52 Eliminalia KIEV 62.244.51.53 62.244.51.54 server1.world-intelligence{.}uk 62.244.51.55 server2.world-intelligence{.}uk 62.244.51.56 server3.world-intelligence{.}uk 62.244.51.57 server4.world-intelligence{.}uk 62.244.51.58 server5.world-intelligence{.}uk The servers of the Company World Intelligence LTD , which also is registered in the name of Diego Sanchez, host almost 300 fake newspapers used to clone existing websites with the purpose of "de-indexing" content out of search engines and run all sorts of "information campaigns". The complete list of 300 fake newspapers (domains) is available here . [image-9]The UK company World Intelligence LTD, registered in the name of Diego Sanchez Gimenez. Tampered Clones to de-index from Search Engines At least four domain names (of the list of 300 domains) emulating news media were used in the effort to remove content from the investigative media Maka Angola and The Elephant (Kenya). journalinvestigation.com makangola24.com nouvellescorrompues.com posterpoliticiens.com [image-10]Clone of a Maka Angola article on the servers of Eliminalia, Ukraine 300 websites on the move The 300 domain names registered by Word Intelligence/Eliminalia since 2019 have several commonalities: [image-39-1024x621]Number of fake web websites per month * Being hosted in the Spanish provider "Loading ES" and later on moved to OVH in France/Germany and finally to Ukrainian provider LuckyNet. * The use of these MX records: + IN TXT "v=spf1 +a +mx +a:worldreputation.loading.net include:_spf.loading.es -all",0,0 + IN TXT "v=spf1 +a +mx +a:ns3171704.ip-51-210-1.eu -all",0,0 * The use NJALLA.NO as DNS provider. Some of these domains where already spotted by Kyle Ehmke, Threat Connect, as suspicious in February 2020 when hosted in Spain (Loading ES) and France/Germany (OVH). [image-1024x564] --------------------------------------------------------------------- Dark Ops Methods - a review Let us review some of the Dark Ops techniques used by Eliminalia to eliminate, modify or de-index content from the Internet. 1. FAKE DMCA: Create a copy of the target content, publish it under another domain and backdate it. File a DMCA complaint to Google. [image-11-1024x592]DMCA complaint to Google. Thanks to the research access granted to the Lumen Database from the Berkman Center, Qurium could find several identities used by Eliminalia to file fake DMCA complains. In the example, all of them used the website jhonsonconsultores{.}wordpress.com to report the DMCA violations. [image-17-1024x775]The domain jhonsonconsultores{.}wordpress.com has been frequently used to file DMCA. [image-18] 2. FAKE GDPR: Send fake abuse reports using fake "legal e-mails" and domain names, such as abuse-report{.}eu. 3. TAMPERED CLONES: Clone the newspapers' content in alternative domains to push down the Search results of Google. A method to push down results in search engines is to clone the full content of a website and publish it under similar domains. During the cloning of the content, articles that their clients do not want to see published are dropped. To filter out those non-wanted articles, Eliminalia uses the "WordPress Automatic Plugin". By means of regular expressions, the plugin avoids copying the articles that the clients of Eliminalia paid them to remove from the search engines. [image-15]The fake site makaangola24 is using WordPress Automatic Plugin to drop non-wanted content from the cloning process. This strategy is consistent with their definition of de-indexing in their contracts. [image-14] [image-16] [image-13-1024x433] 4. CAMPAIGN BOTS: Use dozens of registered domains to run disinformation campaigns against a target. [image-12-1024x749] How are the tampered clones being used? Our first challenge during the forensic analysis was to understand how the 300 different websites were used and if they were used in a coordinated manner. In order to answer to that question we collected 3,000 articles during one month coming from the newspapers. [image-19]Green: 246 Websites, Red: 2779 Articles We assigned a unique identifier to each of the articles by hashing the content and imported all the data into a "Gephi Visualization". The first finding after applying the ForceAtlas2 algorithm, was to conclude that many of the newspapers shared common articles and groups of them posted the same content simultaneously. [image-40]ForceAtlas2 (Gephi) algorithm cluster When looking closer into the relationships of the clusters, we found the following types of groups: 1 Orphan websites with no similar articles in the front page as in other domains (e.g. lachapiadora{.}com). These websites were part of an old campaign (See Google Search Results) and the articles are no longer in the front page of other newspapers. [image-32-1024x440] [image-22-1024x576] 2. Share-2: Two newspapers sharing common articles, such as lanacionec{.}com and boletinecuador{.}com [image-23] 3. Share-4: Four newspapers sharing the same articles as the case of Maka Angola de-index campaign. Their clones pull articles from the original website makaangola.org avoiding the content that they want to de-index. [image-24] 4. Share-N: Coordinated clusters with country-based campaigns as the one from Venezuela [image-36]Fake website used in a twitter campaign [image-28] 5. Share-N+: High Coordinated clusters as the one from Santo Domingo [image-25-1024x602] 6. Share-GeoKaos-N: Coordinated websites without geographical coherence (24 Angola, Argelia News, Africa24 Horas) [image-26] 7. Share-UK: A high coordinated cluster with members using the top level domain .uk. [image-27-1024x757] Apart from trying to de-index content from Google Search, we found that groups of websites are used for: * Wide Campaigns: A high level analysis shows that a dozen of domains are used in a coordinated fashion and some articles are pushed into several websites that by default are cloning existing content from legitimate websites. For example, the campaign against FICHUA TANZANIA used social media and a cluster of websites to distribute the fake news. [image-38] [image-37] [image-33]High number of websites are linked by few articles that are part of a wide-campaign * Country-Based Campaigns: Some clusters of domains like the one from Santo Domingo or Taiwan deploy dozen of websites with consistent common content (K-core = 6) [image-34-1024x476] Conclusions During our forensic analysis we could determine that Eliminalia: * Creates fake domain names as abuse-report{.}eu to impersonate the EU Commission to send mails with GDPR take down requests * Submits fake DMCA complaints to Google. The Complaints include references to backdated articles that are copies of the original. * Clones original articles from websites, removing part of the content to de-index content from Search engines. * Uses 300 fake newspapers hosted in Ukraine to support disinformation campaigns in Social Media. (Update: 21 April 2020) During the following weeks after the release of this article we have found a few other pieces of evidence. Here there are few updates to the research. * Using RiskIQ we found new domain names used for the clones as elpais-noticias{.}com Image * XS4ALL/KPN has provided us with a Reference Case #4786345 and their acknowledgement of the IP address in the mail they received from abuse-report{.}eu Image * Once we released the first part of our research, the fake clones stopped pulling and cloning the articles from Maka Angola. * We also discovered that Eliminalia used the SafeCreative service to register articles they did not write, to later on file a DCMA complain. [image-8] * During the days after the release of the article we detected four twitter accounts used to pollute the the Twitter timeline with bogus content when searching for #Eliminalia. [image-14] Media April 20, 2021. ElDiario.es La Comision Europea investiga a la empresa espanola Eliminalia por suplantar su identidad para borrar de la Red el rastro de sus clientes April 16, 2021. La Silla Vacia. Empresa que mintio contra La Silla, cuestionada en Europa April 14, 2021. @ottoreuss (El Confidencial) ALUCINANTE: Eliminalia (Didac Sanchez) haciendose pasar por abogados de la Comision Europea April 13, 2021. The Elephant. Dark Web: How Companies Abuse Data and Privacy Protections to Silence Online Media Creative Commons License This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. * (c) 2021 Qurium Media Foundation * Powered by * Designed with the Customizr Theme * We use cookies on our website. By clicking "Accept", you consent to the use of ALL the cookies. Cookie settingsACCEPT Manage consent Close Privacy Overview This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience. Necessary [*] Necessary Always Enabled Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously. Cookie Duration Description This cookie is set by GDPR Cookie Consent 11 plugin. The cookie is cookielawinfo-checbox-analytics months used to store the user consent for the cookies in the category "Analytics". The cookie is set by GDPR 11 cookie consent to record cookielawinfo-checbox-functional months the user consent for the cookies in the category "Functional". This cookie is set by GDPR Cookie Consent cookielawinfo-checbox-others 11 plugin. The cookie is months used to store the user consent for the cookies in the category "Other. This cookie is set by GDPR Cookie Consent 11 plugin. The cookies is cookielawinfo-checkbox-necessary months used to store the user consent for the cookies in the category "Necessary". This cookie is set by GDPR Cookie Consent 11 plugin. The cookie is cookielawinfo-checkbox-performance months used to store the user consent for the cookies in the category "Performance". The cookie is set by the GDPR Cookie Consent 11 plugin and is used to viewed_cookie_policy months store whether or not user has consented to the use of cookies. It does not store any personal data. Functional [ ] Functional Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features. Performance [ ] Performance Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors. Analytics [ ] Analytics Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc. Advertisement [ ] Advertisement Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads. Others [ ] Others Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet. SAVE & ACCEPT