January 24, 2020

Top takes: A Facebook drama in three acts

by DFRLab

An exclusive report, in collaboration with Der Spiegel, reveals a network of fake accounts building fake lifetimes in fake ways

January 24, 2020

Top takes: A Facebook drama in three acts

by DFRLab

Share this story
THE FOCUS
Social Media
Top takes: A Facebook drama in three acts

An exclusive report, in collaboration with Der Spiegel, reveals a network of fake accounts building fake lifetimes in fake ways

(Source: @nikaaleksejeva/DFRLab via Liannadavis/Wikimedia Commons)

An online network on Facebook discovered by German media outlet Der Spiegel, which partnered with the DFRLab for its analysis, used hundreds of fake user accounts to craft full lifetimes of often breathless drama by deploying common tactics for creating such fake profiles.

The network of accounts participated in what Facebook — in a statement provided to Der Spiegel and the DFRLab— referred to as “scamming behavior,” putting them out of the range of the company’s qualification as “coordinated inauthentic behavior” (CIB). The latter usually entails concentrated and targeted information manipulation, meant to persuade vulnerable audiences for political or financial purposes. In this case, given the real humans behind the accounts, their proclivity toward fabricating whole lives for fake people, and their private engagement with authentic Facebook users — as revealed by Der Spiegel — the accounts appeared to more closely fit the company’s idea of scams. Both CIB and scams lead to removal from the platform.

A joint investigation between the DFRLab and German newspaper Der Spiegel identified at least 329 accounts engaged in this activity. While many of the accounts had cultivated mature user personas, they also exhibited numerous biographical inconsistencies, linguistic errors, and use of stolen content, all of which ultimately helped expose the network.

While the investigation did not result in a conclusive attribution, the DFRLab found some evidence, such as language use and the time zone of postings, to suggest that at least part of the network may have originated in Latin America. In addition, Der Spiegel discovered that some of the accounts made contact via private messages with real users, a finding the DFRLab was able to corroborate via open-source evidence.

This article outlines the main features of the network. Additional pieces by the DFRLab provide greater detail on the content, coordination, and fake nature of the accounts.

Mature user personas

Many of the accounts had cultivated mature user personas that presented a wealth of detailed biographical information, including work history and education.

Examples of detailed biographical profiles that included work history, education history, and places of residence. (Source: Meredith Kennedy/archive, left; Miguel Angel Singer/archive, middle; Alice Bergmann/archive, right)

Most of the user personas identified themselves as military or law enforcement personnel. Others listed jobs in the tourism, aviation, arts, and fashion industries.

A word cloud of the most represented professions within the inauthentic network, as generated by DFRLab’s own categorization of the accounts. (Source: @nikaaleksejeva/DFRLab)

In terms of nationality, the accounts were diverse, claiming to hail from over 30 countries, including France, the United States, and Syria.

The countries where the supposed users were allegedly located, according to their profiles. (Source: @nikaaleksejeva/DFRLab)

The accounts often listed one another as family members, tagged each other in photos, and engaged in dramatic exchanges in the comment sections of one other’s posts. These interactions suggested that the operators were aware of one another and coordinating to some extent.

Furthermore, both the DFRLab and Der Spiegel found evidence that the fake accounts had engaged authentic users via private messages.

Authentic users commented on Helena Bergmann’s posts, referring to private messages she had sent them (pink boxes). (Source: Helen Bergmann/archive, left; Helen Bergmann/archive, right)

The care that went into crafting the accounts’ personas may have been an attempt to lend the accounts an air of authenticity so as to avoid arousing suspicion when they contacted real individuals.

Biographical inconsistencies

Ironically, the high degree of biographical detail these accounts provided ultimately exposed them by creating greater room for error and inconsistencies in the personas. Some accounts had different names in their Facebook IDs than their screennames, as well as conflicting listed and presenting genders, suggesting that they may have changed identities at some point.

Majid Najm Al-din’s account identified him as female, as did his original ID, but his profile was that of a man’s. (Source: Majid Najm Al-din/archive)

Many accounts from the network did not identify themselves as native English speakers, but those that did made language errors characteristic of non-native speakers.

An example of a post by a Scottish account with English-language errors underlined. (Source: Facebook/archive)

While many accounts were connected to one another via family ties, there were inconsistencies in the accounts they listed as family members. In one case, for example, an account allegedly belonging to a father was clearly that for a woman.

Stolen content

Many accounts from the network used images of “B-List” Latin American celebrities as profile pictures. Slight digital modifications, such as image mirroring and use of visual filters, suggested the accounts took steps to avoid detection via reverse image search.

Alice Bergmann using frame from a video featuring Chilean actress Josefina Montane. (Source: Facebook/archive, left; YouTube/archive, right)

Some accounts copied and pasted text in their posts that originated on fringe media outlets from abroad.

Georg Schonfelder Rommer copied and pasted a list of people from a comment by a user “biersauer” on a post on fringe German blog Ein Parteibuch, a post that itself was taken from Russian fringe media site Southfront.org. (Source: Georg Schonfelder Rommer/archive, left; Ein Parteibuch/archive, right)

Posting charged political content to draw the right crowd

In addition to divulging details about their personal life in emotionally loaded posts, some of the accounts also posted charged political content. The exact nature of the content, however, was likely a superficial aspect of the network, as it was presumably targeting a highly engaged audience that the operators of the network felt might be most susceptible to their scam.

This, in part, explains why the network demonstrated no single or coherent ideological agenda; instead, the accounts seemed to be passionate about disparate political issues, from Kurdish autonomy to the refugee crisis in Europe. Different accounts often contradicted each other in political positioning.

Examples of content the accounts posted. (Source: Vanessa Ferraro Vecchia/archive, top left; George Wozniak/archive, top right; Milan Djokovic/archive, bottom left; Alfred Louis Carter/archive, bottom right)

The one common thread was the likelihood of the content to provoke emotional reactions, a possible tactic to draw in highly engaged users as a part of the scam.

Evidence pointing to Latin America

A few corroborating pieces of evidence suggested that the network might have been, at least in part, operated out of Latin America. Besides using images of Latin American celebrities, many of the accounts allegedly from other parts of the world frequently listed the languages they spoke in Spanish.

Accounts listing the languages they speak in Spanish but not including Spanish on the list. (Source: Miroslav Overchenko/archive, bottom left; Mahir Sawiris/archive, bottom right)

Moreover, the time difference between the posting time and the time displayed on a researcher’s computer (in Central Europe) indicated a six-hour difference that matched with the time zone of eleven Latin American countries.

The time zone of the posting time matched with Latin American countries. (Source: Robert Gautier/archive, left; 24timezones.com/archive, right)

Conclusion

This network was sprawling and longstanding. Some of the most prominent accounts, including Robert Gautier and Helena Bergmann, had been active since 2012–2013, having adopted fairly consistent and well-developed personas. Despite the conviction with which they played their parts, however, biographical inconsistencies and similar patterns of behavior revealed that these accounts were not who they claimed to be.

That the network was inauthentic and coordinated was clear, though the accounts — by Facebook’s own estimation to the DFRLab — were perpetrating “scamming behavior,” thus falling short of the company’s threshold for “coordinated inauthentic behavior.” Assuming the behavior was indeed intended to scam people in some form, it nevertheless remained unclear what the purpose of the scam was.

Some of the accounts posted innocuous special interest content, melodramatic stories, and flirtatious overtures; others were overtly political. The former behaviors are typical of audience-building attempts. On the other hand, the presence of political commentary on a host of divisive sociopolitical issues suggested that the network was deliberately targeting an audience of highly engaged real users it felt could be scammed.

Follow along on Twitter for more in-depth analysis from our #DigitalSherlocks.