The celebrity death hoax has long been a clickbait staple, but recently one network has taken it to extremes, using scores of websites to host its content and an automated army of bots to push the links into Facebook groups. Many Facebook users and group administrators have noticed a sharp increase in spam postings of false death hoaxes. Examples of comments from Facebook group members and administrators frustrated with the disruption are pictured below.
The death hoax headlines frequently end abruptly before getting to the point, leaving the reader wondering. One example reads, "10 minutes ago in New York / 50-year-old Actor Ben Affleck, his family confirmed that..." another says, "We report extremely sad news about 47 year old actor Drew Barrymore, she has been confirmed."
Lead Stories took note and was determined to find out who was behind what appeared to be a very coordinated push to place these death hoax links in English-language Facebook groups.
The collection of Facebook screenshots below shows an assortment of these posts. Lead Stories identified at least 55 different celebrities whose name, picture and the false suggestion that they had died were used to entice people to click. Some celebrities are represented by several different images and headlines in Facebook posts; not all variations are shown here. (The image below will open larger in a new window.)
In the first week of December 2022, Lead Stories identified links to 61 different WordPress websites that were publishing the death hoax articles found on Facebook. If a reader clicked on a link to learn what happened to a beloved celebrity, they were sure to be disappointed. They won't even find an article delivering a false story -- the webpage will show the same photo of the celebrity visible in the Facebook post, and the text of the headline may repeat several times as they scroll, but there is no article. Within seconds, their screen will blur and a pop-up may warn them that they need a software update.
(Source: Screenshots of Facebook posts taken on Wed and Thu Dec 07-08 2022)
Many of the sites have news feeds in more than one language. Daily90news.com features news categories for world, general news, Khmer (the language of Cambodia), Korean, Animal and Pets, Taiwan and Japanese. Freshnews85.com offers sections for Hong Kong, Japen News [sic], Korea News, Mayanma, Miyanma, Thai news, Uncategorized and USA. These websites also feature clickbait with "then and now" pictures, wild animals and giant snakes.
The websites do not have a monetized recommendation chumbox of the sort commonly seen on clickbait websites and they don't have any recognizable advertising. Instead, there are pop-ups and forced redirects that use deceptive prompts. These try to trick the viewer to download malware.
One redirect site, wreddismorce.com, has a cartoon robot on the page blocking access to the death hoax. The prompt demands that the viewer first "Click Allow if you are not a robot" (they should just close the window). Malwaretips.com has an in-depth article about wreddismorce.com.
(Source: Screenshot of deceptive prompt from wreddismorce.com taken on Fri Dec 09 22:35:15 2022 UTC)
Some of the death hoax pages offer a video embedded from a YouTube celebrity death hoax channel. One channel is called "Deceased Celebrities"; others are "LATEST NEWS 24" and "Allan Radio" (archived here, here and here). There is a possibility that the websites generate some revenue by driving views to these robo-voiced videos, but viewers would need to get past the malware pop-ups first.
One thing is clear: This network now mainly exists to deliver malware to unsuspecting people. The scope of this article does not extend to an in-depth explanation of malware, but an article at microsoft.com describes it this way:
Malware works by employing trickery to impede the normal use of a device. Once a cybercriminal has gained access to your device through one or more different techniques--such as a phishing email, infected file, system or software vulnerability, infected USB flash drive, or malicious website--they capitalize on the situation by launching additional attacks, obtaining account credentials, collecting personal information to sell, selling access to computing resources, or extorting payment from victims.
The example on the left below shows a blurred Bruce Willis death hoax covered by a fake prompt to update Adobe Flash Player. On the right are two additional examples of other malware download pop-ups that spoof the appearance of familiar programs. (This image will open larger in a new window.)
An example of such a prompt for a fake update reads:
Software Update
'Adobe Flash Player' is out-of-date
A security update to Adobe Flash Player was recently released. You must update your Flash Player so security update can be correctly applied.
Update | Download Flash...
(Source: Screenshots from newsidaily.com and others taken on Thu Dec 08 23:22:22 2022 UTC)
Under the ruse of a "security update," this deceptive prompt urges people to update a program, Adobe Flash Player, which became obsolete at the end of 2020. End-of-life information about Flash Player can be found at Adobe.com:
Since Adobe no longer supports Flash Player after December 31, 2020 and blocked Flash content from running in Flash Player beginning January 12, 2021, Adobe strongly recommends all users immediately uninstall Flash Player to help protect their systems.
There is a feature available for WordPress websites that allows several accounts to work together to post articles on a website. Lead Stories looked into the administration structure of the websites posting death hoaxes. Although we could not verify if each human "author" was writing under only one account name, we could see, in some cases, that over 100 different accounts were contributing to one website.
The lead author, or head administrator, of the website we will refer to as ID No.1. They are sometimes listed simply as "Admin" on the front-facing webpage, but their account name and the alphanumeric code of their Gravatar ID (Globally Recognized Avatar ID) are visible in the website's source code.
Looking at the Gravatar ID for ID No.1 of one of the websites, cnews6.com, we were able to connect that ID to over 90 domain names. Of the 51 websites we found currently spreading death hoaxes on Facebook, 16 of them were connected to that one person.
Lead Stories was able to determine the email and the name of this young man from Cambodia. His username is consistent across several social media accounts. On Facebook his nickname is written in Japanese, "Programmer."
The names of other ID No.1 accounts of these websites point to several other Cambodian individuals with consistent usernames and a history of social media manipulation for profit. Each individual runs several of these websites.
But the work of the humans and their bots is careless. In the examples below, one Bruce Willis death hoax article was posted without adding his name to the headline. It simply reads, "We announce the very sad news of Talented Actor , along with a tearful farewell."
In other instances, the photos and name in the headline didn't match. In almost all cases, there is no article. In the Julia Roberts example below, just the headline and thumbnail photo repeat above an embedded YouTube video.
A hoax about Vince Gill featured a typo, "We Report Wxtremely Sad News..." which was repeated across four websites and in the automated captions posted by the network bots.
(Source: Screenshots from Facebook, freshnews49.com and todaynewsbd.com taken on Fri Dec 09 23:11:57 2022 UTC)
In this investigation Lead Stories did not try to quantify the number of automated accounts that were posting these links into Facebook groups. Most of the accounts currently posting are less than one week old, and are Facebook pages rather than profiles. These pages typically did not have any likes or follows, profile pictures or names that would reflect a business or person. These accounts appear to have been generated en masse via a program.
Although they posted links to the death hoaxes in other Facebook groups, they typically did not post these links on their own page. The six pages in the example below, which were all posting death hoax links, were all created between December 2, 2022, and December 4, 2022. The page creation date is visible in the Page Transparency report.
This is also where the country location of the page managers can sometimes be found, but location information is not typically available for a new page with no followers.
(Source: Facebook screenshots taken on Thu Dec 07 2022)
While looking into the creation date of one of these pages, Lead Stories stumbled across something unexpected -- not just once but four times. The page kdnog, which was created on December 5, 2022, had a single post on the page. It was a list of URLs -- 85 Facebook groups, and the notation next to each URL said, "No Pending." Another post by the page achkkjg has links to 74 Facebook groups. A post by an account called You Yong appears to be a portion of a numbered list, #1216 - 1245. Ro kim posted another portion of a numbered list, #1231 - 1250.
Although it may sound as though these two partial lists overlap, they do not. The URLs are unique -- pointing to the probability that within this spam network there are at least two separate lists, each with at least 1,245 Facebook groups on them.
It is not clear why these lists were posted publicly, but these appear to be groups that have a low barrier to entry that would admit a new account with no profile picture and no ability to answer complex group-join questions.
This network was able to create a large number of spam accounts, join groups and start posting links in a short period of time, which also resulted in a sudden surge in the volume of death hoax posts that Facebook users were encountering in early December 2022.
(Source: Facebook screenshots taken on Thu Dec 07 2022)
Lead Stories has recently debunked several of these false reports of celebrity deaths: Dolly Parton, Bruce Willis, Celine Dion, Alan Jackson, Simon Cowell, Angelina Jolie and Shannen Doherty.
Additional names that have appeared in posts by this spam network are Arnold Schwarzenegger, Ben Affleck, Blake Shelton, Brad Pitt, Bryan Brown, Chris Hemsworth, Chuck Norris, Clint Eastwood, Dave Chapelle, David McCallum, Denzel Washington, Don Johnson, Drew Barrymore, Dwayne Johnson, George Strait, Gladys Knight, Goldie Hawn, Henry Winkler, James Whale, Jay Leno, Jean-Claude Van Damme, Jennifer Lopez, Jodie Sweetin, Julia Roberts, Kate Hudson, Marie Osmond, Mark Harmon, Melissa Gilbert, Michael J. Fox, Mick Jagger, Mike Tyson, Morgan Freeman, Nick Robinson, Pierce Brosnan, Rachel McAdams, Rajon Rondo, Rod Stewart, Roseanne Barr, Sam Elliott, Steve Buscemi, Steven Seagal, Sylvester Stallone, Toby Keith, Tom Hanks, Tom Selleck, Vince Gill, Will Smith, and Willie Nelson.
