Facebook shuts down Egyptian disinformation network, bans two marketing companies

Facebook removed more than 1,700 assets linked to Egyptian digital marketing firms targeting audiences in Middle East and North Africa

The NewWaves of Giza-gawa. (@jean_leroux/DFRLab via Wikimedia Commons/archive)

On February 29, 2020, Facebook removed a network of assets engaged in coordinated inauthentic behavior targeting audiences in the Middle East and North Africa (MENA). These assets were linked to two marketing firms, NewWaves and Flexell, that were at the center of two separate purges in August and October 2019, respectively.

In its announcement, Facebook said:

We also removed 333 Facebook accounts, 195 Pages, 9 Groups and 1194 Instagram accounts that were involved in foreign interference emanating from Egypt that focused on countries across the Middle East and North Africa. […] Although the people behind this activity attempted to conceal their identities and coordination, our investigation found links to two marketing firms in Egypt — NewWaves and Flexell. Both these companies and individuals associated with them have repeatedly violated our Inauthentic Behavior policy and are now banned from Facebook.

The DFRLab corroborated the link to NewWaves but was unable to corroborate any direct connection to Flexell.

Facebook provided the DFRLab a subset of these assets consisting of seven Facebook groups, 73 Facebook pages, and 1,191 Instagram accounts ahead of the takedown and was able to corroborate the company’s assessment of inauthentic and coordinated activities between these assets before they were removed by Facebook.

The assets bear familiar hallmarks reminiscent of previous campaigns orchestrated by marketing companies NewWaves and the similarly named Newave, registered in Egypt and the United Arab Emirates, respectively. In August 2019, the DFRLab published an investigation into the network shortly after Facebook removed those assets.

The investigation found evidence that the network’s Facebook and Instagram assets coordinated their activity and that a related set of Twitter accounts appeared to be a part of the same campaign. The existence of a Twitter network operating in unison with assets on Facebook is also reminiscent of a BuzzFeed investigation into Flexell’s operations published in October 2019. The network repurposed the same memes and images, even across platforms, sometimes performing minor alterations or translations to suit a different audience.

The Instagram and Facebook assets interspersed uplifting and humorous content with politically charged narratives, presumably to garner a wide following before pivoting into regional politics. These assets targeted countries in the MENA region, including Turkey, Iran, Qatar, Bahrain, Sudan, Somalia, and Libya among others, with Facebook adverts meant to promote the network. Despite being targeted at these countries, the administrators for these pages were mostly based in Egypt.

A map of the countries targeted by the network of assets removed by Facebook on March 2, 2020. Some of the assets were linked to NewWaves, the subject of a similar takedown in the region in August 2019. (Source: @jean_leroux / DFRLab)

The DFRLab found that the network created fake Facebook accounts, using publicly available images, to act as administrators for these groups. Most of the Facebook and Instagram assets were postured as females, likely as a means of targeting a male demographic.

Finally, the DFRLab linked the off-platform websites featured in this subset of Facebook assets to similar websites seen in the earlier takedown of NewWaves assets August 2019, through analyzing the WordPress files the sites used. The main suspect behind this network was NewWaves’s owner, Amr Hussein, who was identified as a former military officer and self-described expert in “internet warfare” in a New York Times piece following the removal of the assets by Facebook. Hussein used the pseudonym “Amr Hussien” for the Facebook profile and website registration records linked to him in this investigation.

Birds of feather

Each assets’ role within the network goal was varied; while some of the Instagram accounts, Facebook pages, and Facebook groups were overt in their political messaging, others postured as benign platforms sharing humorous or uplifting content, promoting fashion, or presenting as regional civilian news outlets. Still others leveraged large followings to provide engagement to other assets and off-platform websites linked to the network.

The overtly political assets were particularly critical of Turkey’s President Recep Tayyip Erdoğan. Some of the images the assets posted likened Erdoğan to Adolf Hitler by photoshopping the Turkish head of state into a Nazi uniform or adding Hitler’s toothbrush mustache to his appearance.

Screengrabs of Instagram assets depicted President Erdoğan alongside the Islamic State flag (top left, top right), likened him to Adolf Hitler (bottom right), and crudely photoshopped into a Nazi uniform sporting Hitler’s mustache (bottom left). The text in the images was translated via Instagram’s built-in Google Translation function. (Source: jaida.samehh, top left; hsanhmahros, top right; aseela2190, bottom left; ; swuailmm, bottom right)

A subsection of the accounts dedicated to regional interest focused on Yemen, Somalia, the United Arab Emirates, and Lebanon. Yemeni accounts spoke out against infighting and attempted to empower the Yemeni people around a shared discontent for the country’s Al-Islah reform party, which is associated with the Muslim Brotherhood.

The content on these pages spanned the MENA region, and most of the Facebook pages were administered by accounts based in Egypt.

Deja view

The DFRLab’s investigation revealed evidence of coordination between the assets on each platform (e.g., Instagram to Instagram, Facebook to Facebook) as well as across platforms (e.g., Instagram to Facebook).

Screengrabs from several Facebook assets featuring political content the assets engaged in. In particular, Turkish President Erdoğan is likened to Hitler or displayed alongside the Islamic State flag. The same images were used on the Instagram assets below. The text in the images was translated via Instagram’s built-in Google Translation function. (Source: اخبار البحرين [Bahrain News], left; Moroccos news, right)

Images used on Facebook assets were repurposed for use on Instagram assets, and vice versa. The images were altered slightly, presumably using one or more of the application’s built-in filters, in what was likely an attempt to circumvent the platform’s automated detection systems.

Screengrabs from several Instagram assets show the reuse of images between these assets, as well as the reuse of images used by the network’s Facebook assets (middle row, bottom row). The images were altered slightly, possibly aimed at circumventing Instagram’s automated detection systems. In some cases, the text used in the images were translated by the content creators’ themselves from one account to the next (top row). (Source: marrymaamany, top left; mariamhedrine, top right; aseela2190, centre left; swualmm, centre right; soliman_ayat, bottom left; jaida.samehh, bottom right)

Between the Instagram assets, images were propagated with minor changes to the content. For example, an image President Erdoğan (found nestled between posts about women’s fashion) was used by different accounts but translated into different languages each time.

This variation in the content suggests intentionality, either responding to the need for original content to build a following or to evade Facebook’s content moderating techniques.

Screengrabs of Instagram assets showing how political content was shared between posts about women’s fashion. The images differed slightly across some of the assets, with the content being translated into multiple languages. (Source: solaf_fakhry, sevdaerdem18, Soliman_ayat, left column, top to bottom; carmen.john3, top center and right; oznur_nadir0, bottom center)

A majority of the observed Instagram assets appropriated female profile pictures and on occasion captioned posts in the first person, purporting their female identities. By gendering the accounts as female, the administrators of these assets presumably hoped to maximize its impact on a likely male target audience.

Screengrabs of allegedly female Instagram accounts that assumed inauthentic identities in much the same way as the Facebook assets. (Source: marrymyamany, top left; hsanhmahros, top right; amar_ahmedd, bottom left; sevdaerdem18, bottom right)

Denial Delta

In examining the Facebook pages and groups provided by the company, the DFRLab identified several related and seemingly inauthentic accounts that were responsible for administering and moderating the groups in the subset provided. Facebook confirmed they were connected to the set and subsequently removed these accounts as part of its ongoing continuous enforcement.

The administrator accounts made use of inauthentic profile pictures sourced from elsewhere on the internet. For example, the administrators for the Facebook group صفقه القرن (“Deal of the Century”) used images of Lebanese author and human rights activist Joumana Haddad, Egyptian actress Yasmine Sabry, and an Iranian model for their profile pictures.

A screengrab of the administrator profiles listed for the Facebook group “Deal of the Century,” displayed alongside the results of a Yandex reverse image search performed on some of their profile pictures. Yandex is exceptional at detecting faces and even identified a YouTube thumbnail in which one of the images was used (bottom right). (Source: @jean_leroux/DFRLab via “Deal of the Century,” left; Yandex, right and bottom)

In some of these cases, the accounts reused images used by other administrator accounts. “Hala Mansour,” one of the accounts discovered during the investigation, used the same image as its cover photo that another administrator account, “Farida Hassan” used as its profile photo.

“Hala Mansour,” one of the administrator accounts for the Deal of the Century group, used a picture of an Iranian make-up model found elsewhere on the internet as a cover photo. That same photo was used as a profile picture by “Farida Hassan,” another of the administrator accounts. (Source: Hala Mansour, top; Farida Hassan, bottom)

Using pictures of favorite celebrities or inspirational public figures is not an indicator of inauthentic behavior in of itself, but when considered that the same behavior presented across multiple, apparently unconnected groups in the network of Facebook assets, this behavior appears less benign.

A screengrab of the administrator profiles listed for another Facebook group “Iranian poll”, displayed alongside the results of a Yandex and Google reverse image searches performed on some of their profile pictures. Yandex was again successful at identifying the faces, whereas Google performed better at identifying the specific image. (bottom right). (Source: @jean_leroux/DFRLab via Facebook, Yandex)

Secondly, it appeared that most of the administrator profiles may have been created as recently as early 2020. While new Facebook accounts are constantly created, it is unusual that all the administrators for these groups only recently created their accounts.

Facebook does not provide publicly the creation dates for accounts created on the platform. Determining when an account was created, or at least when it became active, can be approximated based on changes made to the accounts’ profile, particularly their profile and cover photos.

A montage indicating the earliest profile changes made to some administrator accounts linked to assets that Facebook shut-down. These administrator accounts appear to have created their accounts, or use them for the first time, earlier this year. (Source:@jean_leroux/DFRLab via Facebook)

These administrator accounts consistently made changes to their accounts during short windows, usually updating their profile pictures, cover photos, and biographic information in the process.

Badvertizing

The assets in the network were promoted and amplified using Facebook’s advertising platform to target ads for audiences across the entire MENA region. This was despite the fact that the page administrators, when visible, were all based in Egypt at the time.

The prevalence of these adverts, driving paid-for traffic to assets that bear little indication of any commercial interests, are indicative of an influence campaign aimed at these same audiences.

Screengrabs from Facebook’s advertising pages, showing that several of the Facebook pages were running ads. These adverts were not always targeted correctly geographically — the Somali Light page, for example, targeted Egyptian audiences. (Source: Facebook)

Another feature of these assets was their proliferation across all three social media platforms, using similar and sometimes identical accounts and content across Facebook, Instagram, and Twitter.

An example of this was Tourch, a business persona that was active on Facebook, Twitter, and Instagram at the time of the purge. The Tourch assets published the same pictures of makeup and dresses, usually within seconds of one another.

Screengrabs from the Facebook (left), Instagram (center), and Twitter (right) accounts for Tourch. These accounts posted identical content within seconds of each other. (Source: Tourch, left; Tourch299, middle; @TToRRchh/archive, right)

Sine (wave) qua non

In the dataset Facebook provided for the assets it removed in August 2019, many of the Facebook groups and pages contained links to off-platform websites, which assisted in identifying the person responsible for registering those websites, Amr Hussien — an alternate spelling of the name Hussein.

This time, only two links to off-platform sites were included in the dataset: LebanonTrends.com and Balakona.com. A third, apparently unrelated website and its Facebook page — 7ady3raf.com — was identified during the course of the investigation after links to its page were found on three of five largest pages among the assets: أهتمام — Ahtmam (Interest19), عيون القلب (3yoonalb), and روائع عامة (Rawaeama).

A CrowdTangle analysis confirmed that links to the 7ady3raf.com website was shared to four Facebook pages; the three pages mentioned above, and a fourth link was shared to a second-hand goods page by a user called “Amr Hussien.” The same Amr Hussien account was also an administrator of Deal of the Century, the Facebook group discussed earlier in this piece, and served as an administrator alongside the accounts using actresses as their profile pictures.

Facebook confirmed to the DFRLab that the “Amr Hussien” account, seemingly that of the owner of NewWaves, was removed as a part of the takedown set.

An analysis performed using CrowdTangle that identified the four Facebook posts linking back to the 7ady3raf.com website. Three of these Facebook pages are assets within the network, while the fourth was shared by a profile named Amr Hussien. (Source: @jean_leroux/DFRLab via CrowdTangle, left; Facebook, right)

None of these websites were registered in the name of either NewWaves or Hussien/Hussein, but the DFRLab investigation linked all three websites to the network of websites contained in the August 2019 purge. These, in turn, were linked with NewWaves.

While the 7ady3rad.com Facebook page has been removed, Facebook confirmed that it was removed not as a part of the NewWaves takedown but as a part of continuing enforcement stemming out of the DFRLab’s research around the takedown set.

Pressed for words

All three of the off-platform websites were developed using WordPress, a platform that allows users to set up and create their own websites without any coding experience. This allowed the sites to be analyzed using WPScan, an open-source WordPress vulnerability scanner, and some similarities between the three websites were immediately apparent.

First, both balakona.com and lebanontrend.com had their WordPress uploads folders exposed. Most website developers disable access to these folders, which contain backups of image and video files uploaded to the site.

With these folders exposed, simply pointing a website browser to each website’s /wp-content/uploads folders allowed manual access to their contents.

Screengrabs indicating the exposed wp-content/uploads folders for both sites. (Source: balakona.com/archive, left; lebanontrend.com/archive, right)

The analysis of the folders revealed that “Sahifa,” a news-oriented website theme, was deployed across all both Lebanontrend.com and Balakona.com websites at some stage of their lifecycle. WordPress allows users to install themes to change the look and feel of a website without the owner needing too much technical or creative expertise.

Screengrabs from the exposed wp-content/uploads folders for balakona.com (left, center bottom) and lebanontrend.com (right, center middle) showing that media files for the Sahifa theme were present on both websites, even though balakona.com is presently using a different theme. (Source: @jean_leroux/DFRLab via WPScans, center top; balakona.com/archive, left and center bottom; lebanontrend.com/archive, right and center middle)

While different websites using the same WordPress theme is not peculiar by default, it becomes suspicious when taken in conjunction with the fact that at least three other websites — freeiranrevolution.com, Syriatrends.com, and alyamanianews.com — linked to the previous NewWaves takedown from August 2019, also used the same theme for their websites.

Screenshots of the WPScan analysis for three still-active websites linked to the previous takedown of NewWaves’ sites in August 2019. The Sahifa theme indicated here was also used on the balakona.com, lebanontrend.com and 7ady3raf.com websites, linked to the current network of assets. (Source: @jean_leroux/DFRLab via WPScan)

In addition, access to the image backups established further links between the assets in the network. The image file used as the logo for the Lebanontrend.com website bore the name of one of the Facebook pages in the network, “Moroccos news.”

Screengrabs from the wp-content/uploads folder for lebanontrend.com (top), a Windows Explorer preview of the image file, reflecting the “Moroccos news” filename (center), and the “Moroccos news” Facebook page (bottom). The text in the images was translated via Facebook’s built-in Google Translation function. (Source: @jean_leroux/DFRLab)

The WPScan analysis also revealed that balakona.com, lebanontrend.com, and 7ady3raf.com share a number of common usernames used to access the backend of the WordPress site with websites in the August 2019 takedown. Variations of the name Michael, Khafaga, and Mohammed were present, as well as “mero75.”

A montage of screengrabs from WPScan analyses for the websites in the latest network, indicating the usernames used to access the backend of the WordPress website. These usernames, or variations thereof, also appeared in the network of sites linked to NewWaves during the August 2019 takedown (see next). (Source: @jean_leroux/DFRLab via WPScan)
A montage of screengrabs from WPScan analyses indicating the overlap in usernames used to access the backend of the WordPress websites. Of particular note is that the mero75 username (pink) was already present in August 2019. (Source: @jean_leroux/DFRLab via WPScan)

Of particular interest was the “mero75” username, used to access 7ady3raf.com (from the current network) and freeiranrevolution.com (from the August 2019 network). This username bears a striking resemblance to the Facebook username assigned to the Amr Hussien account seen throughout this investigation.

A screengrab from the Facebook account of Amr Hussien, a group admin for one of the groups in the network. The Facebook username (pink box at top) resembles the mero75 username used to access the backend of the WordPress sites. (Source: @jean_leroux/DFRLab via Facebook)

These findings were corroborated with the results from a WHOIS registration information search for the 7ady3raf.com website performed on the GoDaddy website. These records, as provided by the company hosting Hussein’s website, confirmed a registration date of August 13, 2018, using the same Gmail address used to register some of the websites in the August 2019 takedown.

A screengrab from a WHOIS records search for the 7ady3raf.com domain performed on the GoDaddy website. The details provided by Hussein’s hosting provider correlates with findings from this investigation, as well as the investigation from August 2019. (Source: @jean_leroux/DFRLab via GoDaddy)

Conclusion

The resurgence of assets linked to NewWaves and Flexell, both subjects of an identical purges performed less than a year ago, is a worrying development. Flexell and NewWaves persisted with conduct that violated Facebook’s terms of service despite both companies losing assets in two separate takedowns in 2019. According to its statement, Facebook has now banned both companies from using its platforms.

Beyond NewWaves and Flexell, the motivation for maintaining this network remains unclear, as the content varied between the humorous, the benign, and the political. Given the companies appear to be paid-for marketing firms, without insight into their client base, it is unlikely that the true source of this activity will become known. It is this opaque nature of the business that is of particular concern: without clear insight as to who is paying a private company to undertake such activities, the ulterior motive for the information pollution they inject online will similarly remain a mystery, making it nearly impossible to hold those ultimately responsible accountable.


Jean le Roux is a Research Associate, Southern Africa, with the Digital Forensic Research Lab.

Max Rizzuto is a Research Assistant with the Digital Forensic Research Lab.

This article was written and published in collaboration with our partners at Code4Africa.