The Iranian regime has been caught once again spreading misinformation and ‘fake news’ online, according to a report published on May 14, 2019 by a research group at the University of Toronto.
‘Endless Mayfly’ is an Iran-aligned network of inauthentic websites and online personas used to spread false and divisive information primarily targeting Saudi Arabia, the United States, and Israel, according to the report published by Citizen Lab.
Endless Mayfly publishes divisive content on websites that impersonate legitimate media outlets. Inauthentic personas are then used to amplify the content into social media conversations. In some cases, these personas also privately and publicly engage journalists, political dissidents, and activists, Citizen Lab said.
Once Endless Mayfly content achieves social media traction, it is deleted and the links are redirected to the domain being impersonated. This technique creates an appearance of legitimacy, while obscuring the origin of the false narrative. Citizen Lab calls this technique “ephemeral disinformation”.
Citizen Lab’s investigation identifies cases where Endless Mayfly content led to incorrect media reporting and caused confusion among journalists, and accusations of intentional wrongdoing. Even in cases where stories were later debunked, confusion remained about the intentions and origins behind the stories.
Despite extensive exposure of Endless Mayfly’s activity by established news outlets and research organizations, the network is still active, albeit with some shifts in tactics, the report said.
Citizen Lab’s investigation tracked the Endless Mayfly network between April 2016, when the first known Twitter persona associated with the network was created, to November 2018. During this period, Citizen Lab monitored the personas’ Twitter activity, the reach of their content, and engagement with journalists and other figures online. In total, the research group identified 135 inauthentic articles, 72 domains, 11 personas, 160 persona bylines, and one false organization.
Endless Mayfly created at least 135 inauthentic articles and 72 lookalike domains that they controlled. Most of these domains impersonated well-known media outlets, although a small handful masqueraded as other websites, such as a German government website, Twitter, and a pro-Daesh website.. Typically, the sites and the inauthentic articles they hosted were built with scraped content and code elements from the target websites. The sites disseminated a range of critical narratives as well as false and misleading stories.
Most of the Endless Mayfly content is written with a dry and matter-of-fact tone, but in some cases the inauthentic content takes a more breathless, emotional approach. The writing tends to include grammatical and typographical errors, suggesting that it is written by non-native English speakers.
Endless Mayfly made extensive use of typosquatting, which is the intentional registration of a domain name that takes advantage of typographical variants of the target domain name. While typosquatting itself is not a new phenomenon and the registration of such domains may be legal, the technique is regularly used for criminal activities, phishing, and other dubious practices.
In addition to the personas, a network of pro-Iran websites aided in the dissemination of the inauthentic articles. In total, Citizen Lab documented 353 pages across 132 domains that referenced or linked back to the inauthentic articles.
The top ten domains that most frequently referenced the inauthentic articles are IUVM Press, AWD News, Whatsupic, Yemen Press, Middle East Press, Podaci Dana, Instituto Manquehue, Liberty Fighters, Real Nienovosti and Rasid. Of the top 10, eight (IUVM Press, Whatsupic, AWDNews, Yemen Press, Instituto Manquehue, and RealNienovosti.com) all share the same IP address or registration details, indicating they may be controlled by the same actor. There is no overlap in registration information or IP addresses between Endless Mayfly and the republishing network, however.
The Iranian regime has published a host of misinformation and ‘fake news’ reports against the leading Iranian opposition group People’s Mojahedin Organization of Iran (PMOI or Mujahedin-e Khalq, MEK) and Iranian opposition leader Maryam Rajavi on IUVM Press, AWD News, Whatsupic, Yemen Press, and Liberty Fighters.
Like Endless Mayfly’s personas, these websites claim to report on the news in an independent and unbiased fashion, but primarily push stories that align with the Iranian regime’s interests. For example, a PDF document titled “Statute” was found on iuvm[.]org that explicitly states that they are against “the activities and projects of global arrogance states, the imperialism and Zionism” and that “The headquarters of the Union is located in the Tehran –capital of Islamic Republic of Iran–.”
In August 2018, in coordination with FireEye and through their own investigations, Facebook, Google, and Twitter announced that they had removed hundreds of accounts for “coordinated manipulation” linked to Iran. Many of these accounts were associated with websites that had been identified as part of Endless Mayfly’s republishing network.
For example, Instituto Manquehue, which FireEye details in their report, had either linked to or republished content from the inauthentic articles 11 times. According to FireEye, Instituto Manquehue had originally used the Iranian name servers damavand.atenahost.ir and alvand.atenahost.ir and had been registered with an email address that had also been used to register another Farsi-language website. Another website identified in FireEye’s report is Real Progressive Front, which also hosted several articles attributed to one of Endless MayFly’s personas.
In addition, investigations by Reuters and the Digital Forensic Research Lab found that IUVM Press, which is responsible for the majority of linkbacks and references to Endless Mayfly’s inauthentic articles, is also linked to the Iran-aligned operation first identified by FireEye.
Typically, after the inauthentic articles were posted to Twitter, amplified by third parties, or covered by mainstream media, Endless Mayfly deleted the content and redirected visitors to the legitimate media outlets that they were impersonating. The redirects were usually removed after some time and the website taken down.
The Endless Mayfly content, however, would often remain in the caches of social media platforms, leaving a trail of posts that appeared authentic at a cursory glance. Although the links no longer pointed to the article, clicking on the associated links would lead to the genuine news outlet, until the websites were taken down completely. This deceptive technique further amplified the sense of a genuine story. In other cases, Endless Mayfly tweeted screenshots of the spoofed websites and their falsified content, further cementing the impression of a legitimate story.
The Citizen Lab report said: “The narratives used by Endless Mayfly best fit the interests of Iran and its political rhetoric. In addition, Endless Mayfly has an apparently close relationship with a republishing network that has been linked by FireEye, other investigations, and social media platforms to an Iranian government-backed disinformation operation.”
“Endless Mayfly’s narratives systematically benefit Iranian interests or fit within familiar propaganda narratives already used by the Iranian government. For example, the extensive critical content concerning Saudi Arabia fits with themes that are regularly observed in Iranian public statements and propaganda.”
“During its many years of activity, Endless Mayfly produced extensive content that targeted Iran’s traditional adversaries by amplifying narratives that either frame these states in a negative light or imply discord between them and their allies. These narratives, which are consistent with Iran’s foreign policy goals and position on Saudi Arabia, the United States, and Israel, were propagated by a republishing network that has been attributed to Iran by multiple independent groups. Finally, we find no evidence supporting the possibility that the operation was a false flag, or that it was the product of commercial interests,” Citizen Lab wrote, adding that “Iranian sponsorship of the operation, is the most plausible.”
Citizen Lab’s report concluded:
“Based on the evidence gathered from our investigation, we conclude with moderate confidence that Iran or an Iran-aligned actor operating the Endless Mayfly network systematically attempted to influence global perceptions, presumably to achieve geopolitical outcomes, using a stream of false and misleading content. The campaign was neither strikingly clever nor particularly sensitive to the culture of the intended audience. However, it eluded blocking and detection for years, generated some social media engagement, and achieved a few successful cross-overs into mainstream news.”
“The geopolitical, cultural threats posed by Endless Mayfly are difficult to measure. It is unclear how much demand they generated for the stories and narratives they were promoting, or whether they had a meaningful impact that swayed public opinion. Competing in the “attention economy” is difficult and it is likely Endless Mayfly failed to achieve the kind of impact that its operators and backers hoped for.”
“Although Endless Mayfly employed tactics similar to other known influence operations, such as false content and inauthentic personas, it is distinguished by its strategic use of redirects and content deletion—a technique we describe as “ephemeral disinformation.””