Liberty Front Press is a fake news network that has been operating since Trump’s administration and was said to be designed to leverage liberal resentment against the former U.S. president while promoting pro-Iranian foreign policy narratives via social media. For years, it has been present on Facebook, Twitter, Pinterest, and Reddit, for so-called “activism.”

Our security researcher Dancho Danchev has been tracking the fake news network and provided indicators of compromise (IoCs), specifically 27 domains known to have taken part in the network’s disinformation campaigns, that individuals and organizations alike may want to avoid accessing.

We dug deeper using domain and IP intelligence tools to expand the list of IoCs in hopes of providing better user protection.

Tracking Down Connected IP Addresses

Running the 27 domains on a DNS lookup tool provided a list of 19 unique IP addresses. Their connection to the Liberty Front Press should make them suspicious. One IP address (81[.]169[.]145[.]149), in particular, should definitely be avoided, as our Threat Intelligence Platform (TIP) checks revealed it is a malware host.

An IP geolocation lookup for 81[.]169[.]145[.]149 revealed that the device it is assigned to is located in Germany. It is also associated with at least five domains, namely:

• 0-co2[.]info
• 003rsn[.]com
• 01bodybuilding[.]com
• 0211design[.]de
• 02374[.]de

While none of the domains above are tagged malicious to date, avoiding accessing them may be a good idea as well, at least until proper verification and monitoring can be executed.

Uncovering Possibly Connected Domains

Using the 19 IP addresses as search terms for reverse IP/DNS lookups gave us a list of an additional 985 domains that could be tied to the campaign. Some of these share strings with those in the original investigation’s IoC list such as:

• lebanon-news[.]com
• qurania[.]ir
• 12steptravel[.]com
• ctamtravels[.]com
• wnztravels[.]com

What’s more, users should watch out most especially for 11 domains that host malware, namely:

• 123kia[.]de
• 18004security[.]com
• 1800taxfree[.]com
• 24h-1a-sicherheit[.]de
• 4goes2web[.]de
• artantik[.]net
• coronavirusworldwide[.]info
• cprapid[.]com
• ddwt[.]us
• eskuvoiemlek[.]hu
• windbs[.]com

A closer look at each of the malicious domains via a screenshot lookup tool showed that:

• Three (24h-1a-sicherheit[.]de, 4goes2web[.]de, and windbs[.]com) seem like business websites.
• Despite the domain coronavirusworldwide[.]info, the site it hosts doesn’t seem to relate with COVID-19. It was about climate change and other environment-related issues.

  

• Two (123kia[.]de and 1800taxfree[.]com) were parked.
• Ddwt[.]us looked like a personal blog.
• Three (artantik[.]net, cprapid[.]com, and eskuvoiemlek[.]hu) were unreachable.

WHOIS lookups using the malicious domains as search terms revealed that:

• Three (18004security[.]com, 1800taxfree[.]com, and ddwt[.]us) are owned by individuals.
• Windbs[.]com is owned by an organization.
• Seven (123kia[.]de, 24h-1a-sicherheit[.]de, 4goes2web[.]de, artantik[.]net, coronavirusworldwide[.]info, cprapid[.]com, and eskuvoiemlek[.]hu) had redacted WHOIS records.

What to Do When Fake News Sites Are Not Dubbed Malicious

While fake news sites are not typically categorized by malware database sites as malicious, they may still present risks in the form of false information. Detecting such sites is possible with a website categorization tool. Take the domain alzouzougroup[.]com, which is included in the original list of IoCs. The web categorization tool classified it under Sensitive Topics and Spam or Harmful Content.

While this method may not be foolproof, blocking access to sites that fall under the two categories cites would provide organizations an extra layer of protection against threats.

As you’ve seen in this post, looking deeper into domains and IP addresses listed as threat IoCs can reveal so much more information and possible threat vectors that may require blocking on networks.

Contact us if you’d like to get a copy of the complete list of Liberty Front Press IoCs or the possibly connected web properties featured in this post. And if you’re a security analyst or researcher looking to partner for a study, we’d like to hear from you as well.