BANNER: (Source: @nikaaleksejeva/DFRLab via CrowdTangle and Izklaidetv.lv)

A fringe Latvian media outlet offered Latvian Facebook users €100 EUR in exchange for sharing the outlet’s report that a local woman’s car was stolen. Thousands of Latvian Facebook users shared the story, but the evidence suggested that it is highly unlikely that someone received the money that was promised. Two things were suspicious in the case. First, the report itself was quickly debunked by independent Facebook users. Second, the outlet did not do that which it promised and pay users who shared the story.

This campaign comprised a number of fraudulent online components: a hacked Facebook account; an associated Facebook page used as an intermediary between the account and an external “news” website; the artificial news website itself, which posted at least three articles designed to boost the “stolen car” narrative and to accelerate user engagement via a Facebook Messenger pop-up; and other Facebook accounts participating in inauthentic behavior, in part, by posting comments allegedly confirming the receipt of the reward money. The integration of these components demonstrated increased sophistication, especially in the way Facebook Messenger was used to complete the circle between the hacked account, its accompanying Facebook page, and the external website.

The operators of the scheme put significant effort into making the report of the theft seem authentic. They repurposed a hacked Facebook account to feature the woman who allegedly had her car stolen, then used the woman’s persona to create a Facebook page that allowed them to incorporate the Facebook Messenger plugin into their external website. They also created several inauthentic Facebook user accounts that posted manufactured evidence of receiving €100 EUR in exchange for sharing the content, which on their own would be considered an outright disinformation effort.

These efforts demonstrated an attractive inauthentic amplification strategy: falsely promising social media users a monetary reward in exchange for spreading a false news story in an effort to drive traffic to an external website for financial gains, such as driving up advertising revenue.

As of July 23, 2019, it appeared that the activity was still ongoing, as both the hacked Facebook account and the website appeared still to be active, with the former frequently reposting articles from the latter; as such, this article examines only a select subset of earlier content.

The fringe website, Izklaidetv.lv, published a story suggesting that Kristine Kandere, a woman the outlet identified as a prominent Latvian entrepreneur and restaurateur, offered €100 EUR to each individual who shared an Izklaidetv.lv article about her stolen car that had “important documents” inside.

The story and call to share was incorporated into the same article, which garnered 28,572 engagements, including 17,845 shares on Facebook.

This statistic suggested that, by July 3, 2019, Kandere would have paid up to €1,784,500 EUR to participating individuals. The average small business spends up to around €1,793 EUR a month on advertising. A new Audi Q7 costs from €79,355 EUR to €100,699 EUR in Latvia. Kandere’s budget for the offer was unusually large given the possible value of the car, her listed job title, and the uncertain value of the “important documents” supposedly in the car.

In order to verify the details listed in Kandere’s alleged Facebook account, the DFRLab turned to the world’s largest online search tool, Google Search, which yielded no results that corroborated the existence of a restaurant named “Heirops,” let alone that Kandere was its manager.

Additionally, the featured image used in the Izklaidetv.lv article was stitched together from Kandere’s Facebook profile image and an advertisement of the Audi Q7 that had appeared on Auto24.ee, an Estonian online car dealership.

The display name of Kandere’s Facebook account did not match the account’s profile identification. The account’s profile ID was “kristiana.naroga.9,” which would suggest that the name of the Facebook user was “Kristiana Naroga” and not “Kristine Kandere.”

The DFRLab reached out to the only Facebook user whose screen name was Kristiana Naroga, asking if Kandere’s user account was her former account. She replied that it was and agreed separately that her name and response could be included in this report.

Later, Izklaidetv.lv published an article that contained a screenshot from Kandere’s alleged internet bank payment to a person named Janis Krauklis for sharing the article. The screenshot contained a “personal code,” a unique government-issued ID number for every person legally residing in Latvia. The results from the Latvian Population Register, however, showed that a person with the provided personal code does not exist.

Moreover, Izklaidetv.lv soon published a third article, in which it alleged that someone had found Kandere’s car and that she was now offering €300 EUR to everyone who shared the latest article asking for help with identifying the thief. A Google Image Search revealed that the author of the article retrieved both images of the crashed car from the internet.

The author retrieved the image of the totaled car from an article about a car accident in Karnataka, India. The image from of the vehicle’s interior came from a car retail website called Poctra.com.

The call to action to amplify Kandere’s story became a central campaign on the Izklaidetv.lv homepage. Whenever a new visitor landed on the homepage, a Facebook Messenger message from Kristine Kandere popped up from the bottom right corner of the screen, offering the visitor €300 EUR in exchange for sharing the article.

This pop-up message integration is available for Facebook pages only and not for personal accounts. The DFRLab found a Facebook page named “Kristine Kandere.” Its creation date was June 28, 2019, the same day Kandere’s user account posted the link to the first Izklaidetv.lv article.

By planting the false story about Kandere’s stolen car and subsequently calling on users to share the story across social media, Izklaidetv.lv attempted to gain traction across its website.

The first article garnered 17,845 shares. The second and third articles garnered a respective 4,043 and 4,091 shares — roughly a fourfold decrease in shares from the initial article.

While there was no publicly available data on web traffic to the Izklaidetv.lv site after it published the articles about Kandere, engagement data from CrowdTangle suggested that the campaign achieved a moderate degree of visibility on Facebook. In addition to these shares, 19 users shared the articles on Twitter, which has a considerably lower user base in the Baltic states.

The creators of the amplification campaign tried to gain trust with their audience by providing evidence that people had received money in exchange for sharing the articles, as promised.

They also went to greater lengths to provide proof that the story was genuine. On June 4, Izklaidetv.lv published another article alleging that Kandere had received a threatening letter from the thief. The first 44 comments under the article were individuals verifying that they had received the monetary reward. Most of the commenters used an anonymous comment form that required just a name.

One of the commenters that claimed that he had received the money linked a Facebook user profile to his comment.

Another two Facebook users commented that they had received money in exchange for sharing the previous articles.

All three Facebook accounts that claimed that they had received money shared a suspicious pattern of behavior. Along with the Kandere article, they had also previously shared other Izklaidetv.lv articles almost simultaneously and in the same order.

In July 2018, the DFRLab observed the same behavior pattern among a cohort of Facebook accounts that had amplified a website that shared a false story about the alleged collapse of a shopping mall in Latvia.

At least one of the three accounts was possibly hacked. After Raivis Undzens’s account commented on Izklaidetv.lv’s Facebook post, claiming that he had received the money, a user account named “Iveta Uzilina Raivis Undzens” (the joint account of a couple) wrote that the Facebook profile of Raivis Undzens had been hacked.

Although the clear majority of users who commented under the post on Facebook and on Izklaidetv.lv seemed convinced by the saga of the stolen car, numerous Facebook users pointed out inconsistences and disregarded the post. In the comment below, one of these users called everyone who shared the article “an idiot” and added two links. The second link led to a post in which he debunked the story.

His debunking post garnered 147 reactions, 61 comments, and 476 shares by June 4, 2019.

Many internet users pointed out that the story was most likely false, but many others amplified the series of articles. Among a particular cohort of social media users, the urge to share a story in exchange for even the possibility of receiving a monetary reward overrode public suspicion that the story may have originated from an untrustworthy source.

While the intention or end goal behind this particular manipulated stunt is unknown, it was likely financial, boosting ad revenue for the external website. Nevertheless, a classic technique for disinformation campaigns is building a follower base around an innocuous topic, such as a stolen car, and subsequently pivoting to more politically inflammatory content.

The research was done in collaboration with Latvian fact-checking project “Re:Check”

Follow along for more in-depth analysis from our #DigitalSherlocks.