When an attractive young Middle Eastern woman contacted Saudi dissident Ali AlAhmed over Twitter last November, he was immediately suspicious.
The Associated Press was on the verge of publishing a story about how AlAhmed, who is based in the Washington area, had been targeted by hackers posing as a female journalist. Now, just two days before the article was set to go live, another young woman had sidled up to him over the internet, trying to entice him to read an article and share it online.
"They will never stop," AlAhmed wrote in a November 6 message to the AP. "They think a hot girl can lure me."
The AP flagged the exchange to Canadian internet watchdog Citizen Lab, which was already helping AlAhmed deal with the hackers. Citizen Lab quickly determined that the Twitter account, purportedly belonging to an Egyptian writer named Mona A.Rahman, was part of a separate operation. In fact, she wasn't even trying to hack AlAhmed — she was trying to enlist him in an ambitious global disinformation effort linked to Tehran.
>> Read more: Tel-Aviv Times? Iran created fake Hebrew news sites in major 'influence campaign' ■ After San Diego synagogue shooting, U.S. will have to increase online tracking to stop the next murderer | Analysis
In a report published Tuesday, Citizen Lab said A.Rahman was but a small piece of a years-old, multilingual campaign aimed at seeding anti-Saudi, anti-Israel and anti-American stories across the internet. Citizen Lab, which is based at the University of Toronto's Munk School, said it believes "with moderate confidence" that the operation is aligned with Iran. The campaign is another indication of how online disinformation is being tested by countries well beyond Russia, whose interference into the 2016 U.S. presidential election was laid out in vivid detail in special prosecutor Robert Mueller's report .
"What this shows is that more and more parties are entering the disinformation game," said John Scott-Railton, a Citizen Lab researcher, "and they're constantly learning."
- U.S. hackers helped UAE spy on Al Jazeera chairman, BBC host
- Petition to revoke NSO license as WhatsApp warns about Israeli firm's cyber-weapon exploit
- Two Israelis arrested in global dark web investigation
In London, Iranian Embassy press secretary Mohammad Mohammadi denied that his government had anything to do with digital disinformation, saying that Iran was "the biggest victim" of such campaigns and had called for international regulations to curb them. He referred further questions to Iran's Communications Ministry, whose deputy minister did not immediately return a message Tuesday.
Scott-Railton and his colleagues ended up identifying 135 fake articles that were published as part of the campaign, which they dubbed "Endless Mayfly" because, like the short-lived insect, the bogus stories tended to disappear soon after they began to spread.
The article A.Rahman was trying to get AlAhmed to share — a claim that Israel's then-defense minister, Avigdor Lieberman, had been fired for being a Russian spy — was typical: The article had startling news, it was hosted on a fake version of a Harvard University website and had a host of spelling and grammatical mistakes. Articles shared by other fake personas followed a similar pattern. They made inflammatory claims about Israel, Saudi Arabia and the United States presented on lookalike versions of respected news sites.
"Ivanka Trump says its unbelievable that women cannot drive in saudi arabia," said one article posted to a site dressed up to look Foreign Policy magazine. "Saudi Arabia funds the US Mexico border Wall," said another, hosted on a site imitating The Atlantic.
The campaign seems to have been largely ineffectual — Scott-Railton noted that "most of their stories got almost no organic buzz" — but a couple did break through.
In March 2017 a fake Belgian newspaper article claiming that then-French presidential candidate Emmanuel Macron's campaign was being one-third funded by Saudi money was widely shared in French ultra-nationalist circles, including by Marion Marechal, the granddaughter of French far-right leader Jean-Marie Le Pen. A few months later another site mimicking a Swiss publication tricked the Reuters news agency and other outlets into publishing a false report that Saudi Arabia had written a letter to FIFA, soccer's governing body, demanding that archrival Qatar be barred from hosting the 2012 World Cup. The report was later withdrawn.
Citizen Lab said it first got wind of the suspected Iranian disinformation campaign when a British web developer debunked one of the fake articles on Reddit two years ago. The developer pointed out that the story — which suggested that British Prime Minister Theresa May was "dancing to the tune" of Saudi Arabia — had been published on a website using the URL "indepnedent," imitating the legitimate British news site, The Independent, and was linked to a network of other suspicious sites, including "bloomberq," a clone of the news agency Bloomberg. A third site, "daylisabah," was a fake version of the Turkish publication Daily Sabah.
"Did we just get an insight into a fake news operation?" the developer asked at the time.
Citizen Lab confirmed his hunch, later connecting the sites to an incident in which another Twitter user, Bina Melamed, tried to persuade Israeli journalists to share the same fake Harvard article that AlAhmed received.
When one of the reporters privately confronted Melamed about why she was pushing nonsense, the answer was unusually straightforward.
"I like challenging and controversial stories," Melamed said. "Sometimes they are fake and sometimes they are not."
Outside experts who reviewed Citizen Lab's report gave a qualified verdict. Experts at FireEye and ClearSky Cyber Security, U.S. and Israeli companies respectively, said they recognized elements of the digital disinformation from their own reporting, but ClearSky researcher Ohad Zaidenberg said he wanted to see more evidence before attributing the social media personas to the same group.
Speaking generally, he said the apparent clumsiness of the online disinformation should not be a reason to dismiss it.
"It gets better each day," he said.
Most of the personas mentioned in Citizen Lab's report — such as A.Rahman and Melamed — have been suspended. Messages left with a handful of surviving accounts — sent via Twitter and Reddit — elicited no response. Emails sent to half a dozen addresses used to register several bogus websites — including bloomberq, daylisabah, foriegnpolicy, theatlatnic and indepnedent — either weren't returned or bounced back as undeliverable.
AlAhmed said he was intrigued to hear that A.Rahman had been tied to the Iranian government. Despite knowing from the start that the whole thing was a charade, AlAhmed struck a wistful note in a recent interview about his interactions with the attractive-looking A.Rahman. At one point, she had written to him inviting him to stay at an apartment she claimed to have in London.
"A small part of me thought, 'I hope this is real,'" AlAhmed said.
He quickly made clear that he was kidding.
"I told my wife," he said.