How Google Analytics Codes Unearthed a Network of South African Fake News Sites

In July 2015, Lawrence Alexander published a report uncovering a number of ostensibly local, Ukrainian news sites that were actually operated out of the so-called “Troll Factory” of St. Petersburg, at 55 Savushkina Street. Lawrence found the connection between these sites by locating a shared Google Analytics ID, which showed that the sites were managed by a single Google account for tracking traffic statistics. This investigation led to a freelance web designer in Moscow who managed each of the sites, which included both his personal sites and the ones ran out of the St. Petersburg “Troll Factory.” Lawrence wrote a guide for Bellingcat on how to find and track these Google Analytics ID here, and Justin Seitz wrote a follow-up piece on automating the process with a Python script here.

Last month, a group of South African journalists used this method to uncover a series of websites linked to a company in India and the billionaire Gupta family, who have been accused of running disinformation campaigns against South African news organizations for critical coverage of the Gupta family’s business operations. Summaries of this investigation carried out by a group of South African journalists, including from News24, the amaBhungane Centre for Investigative Journalism, and the Daily Maverick‘s Scorpio investigative unit, can be found here and here.

The investigators found connections through WhoIs records, Google Analytics IDs, and AdSense IDs for ten websites, most of which directly target the veracity of the so-called Gupta Leaks and promoting the narrative of “white monopoly capital” (WMC). These sites, as listed by The South African, are: wmcleaks.com, wmcscams.com, dodgysaministers.com, wmc-scams.com, whitemonopolyafrica.com, whitemonopoly.com, fakeguptaleaks.com, publicopinion.co.za, southafricabuzz.co.za and whitemonopolycapital.com.

These sites put on the appearance of being grassroots South African news and investigative outlets, but are all apparently created by “CNET Infosystem,” a web design company based in Noida, Uttar Pradesh, India and ran by a man named Kapil Garg. The investigators detailed a few curious connections between Garg and his company with the billionaire Gupta family, who allegedly set up these sites to smear critics. For example, the Gupta family owns a company with an office in Noida and Garg used email addresses in the names of two Gupta brothers to register two of the ten websites.

Investigators into these websites provided a number of screenshots to Bellingcat to detail their research process. Below, the AdSense ID on publicopinion.co.za is found through searching through the source code. The unearthed AdSense ID was CA-PUB-8264869885899896, which reveals a number of sites related to India apparently developed by CNET Infosystem.

Further searches revealed even more information such as the following reverse AdSense ID search that showed other “news sites” registered to the same ID as publicopinion.co.za

After visiting these sites, we can verify that the codes are indeed the same by viewing the source code, as done earlier with publicopinion.co.za. Just open up the source code, press CTRL + F, and search for the same AdSense ID (CA-PUB-8264869885899896) as found on the other site.

Just as Lawrence Alexander found, some sites have additional tracking codes that may not be on every other site, opening up a new branch of investigation. On the wmc-scams.com site, which shares an AdSense ID with publicopinion.co.za, we can also find a Google Analytics ID in the source code — UA-101199457-4 (the -4 indicating its sequence among other sites with the UA-101199457 ID).

It was not very difficult for the investigators to find details about domain registration, as Kapil Garg did not try to hide important details, such as the screenshot below showing the WhoIs information for ajaygupta.info (referring to one of the Gupta brothers).

Taken all together, and we have a complex web of sites linked together by tracking codes and WhoIs registrations. Justin Seitz weaved together this data in one graphic showing the relationships (click image for full size):

For more information on the investigative process and tips on how you can use these techniques in your own research, see amaBhungane’s breakdown here.

Article source: https://www.bellingcat.com/news/africa/2017/08/04/guptaleaks-google-analytics/