In July 2015 Lawrence Aleksandr published a work exposing some alleged Ukrainian news sites that are actually run by the so-called “troll factory”, located at Savushkina, 55, St. Petersburg, Russia. Lawrence discovered the connection between these sites due to the general Google Analytics code, which means that the management of all the sites is performed using a single Google account, which is also used to track statistics. The investigation brought Lawrence to a civilian web designer living in Moscow. He was doing all the sites – some personal and as well as those governed by the St. Petersburg “troll factory.” Lawrence wrote specifically for Bellingcat an article about how to find and track the Google Analytics code (see. Here ) and Dzhastin Seyts added it to his work on how to automate this process by using a program written in Python (see. Here ).
Last month, a group of journalists from South Africa with the help of this method was able to detect a network of sites related to an Indian company and the family of billionaire Gupta, who was accused of publishing false information about South African media outlets after they put his family business in a bad light. Descriptions of the investigation, including those issued by News24, the Center for Investigative Journalism amaBhungane and research team publishing Scorpio Daily Maverick, you can read hereand here .
With the help of WhoIs service, Google Analytics and AdSense code identifiers journalists managed to establish a link between the ten sites, most of which are directly denied the accuracy of the leaked emails in Gupta’s network and promoted the idea of ” white monopoly capital “. Below are the addresses of the sites referred to the news agency of The South African : wmcleaks.com , wmcscams.com , dodgysaministers.com , wmc-scams.com , whitemonopolyafrica.com , whitemonopoly.com , fakeguptaleaks.com , publicopinion.co.za , southafricabuzz.co.za and whitemonopolycapital.com .
They look like the real site of the South African news agencies and research groups, but in fact, seems to have been created by CNET Infosystem, which is engaged in web design, is located in Noida, pcs. Uttar Pradesh, India, and is operated by Kapila Garga. The researchers pointed to the suspicious relationship Garga and his company with the family of billionaire Gupta, who allegedly ordered websites to counter the criticism in his address. For example, Gupta family have a company in Noida, Garg and use email addresses, names of institutions on Gupta brothers, when registering two of the ten sites.
journalists have spent Bellingcat investigation provided a few screenshots, which is illustrated in detail the search process. The following is an AdSense site identifier publicopinion.co.za , found by searching the source code. With the help of the detected identifier AdSense CA-PUB-8264869885899896 managed to reach several sites associated with India and obviously created by CNET Infosystem
Further efforts have brought more results, for example, by means of a reverse lookup by identifier AdSense reporters found “news sites” that are registered under the same number as the publicopinion.co.za
Once logged on these sites, we can view the source code (as it did with publicopinion.co.za ) and ensure that the identifiers really are the same. To do this, open source code, press CTRL + F and type in the search box the same AdSense ID (CA-PUB-8264869885899896), which was found on another site.
Lawrence Aleksandr found that some sites have additional codes to track, which are not found on other sites – and this is a new area for research. The site wmc-scams.com , ID is the same as the AdSense publicopinion.co.za , in the original program can also find the code Google Analytics UA-101199457-4 ( «-4» – sequence number among the other sites with UA-code 101 199 457) .
Reporters had no trouble finding the domain registration data, as Kapil Garg does not even try to hide important information. Thus, the above data on the site are presented below screenshot ajaygupta.info (dedicated to one of the Gupta brothers), obtained with the help of WhoIs service.
In general, managed to find a complex system of sites, the relationship between them is set by the codes for tracking and registration data WhoIs services. Dzhastin Seyts combined all these sites in one chart (click on image to enlarge):
More details about the investigation, as well as how to use the methods described in your own work, read article amaBhungane.