On March 18th 2017 a death hoax started trending on Facebook claiming British Comedian Rowan Atkinson had died. That this claim is false has been pointed out on this site and on others but that is not what this article is about.
Celebrity death hoaxes are nothing new on the internet yet this one is special in that it managed to be liked/shared over 300.000 times in a short period of time by employing some devious technical tricks. The first one is the video player embedded in the site. At first sight this is just a normal YouTube video from a Fox News broadcast (which is about a death but not about Rowan Atkinson, see the full clip here).
When clicked the video starts to play normally. But after two seconds or so it stops and following message pops up:
And here it gets really devious: when the share button is clicked a popup opens to share the story on Facebook but the link that is being shared is not actually the same link of the page the user is on at the moment.
Why is that devious? It means the owner of the site can "seed" multiple versions of the story on Facebook, each with a different individual URL, making it harder to block the story. The URL variation happens both by changing the domain name of the site and by changing the last part of the link. Here are some examples:
URL variations within the same domain all seem to redirect back to the same central page (the 'purwakmo' version) when they are visited in a browser. However to Facebook they all look like different articles and because of this trick each one has to be individually reported and blocked for Facebook's anti-spam measures to have any effect.
It also seems like every few hours the perpetrators of the hoax have switched to a new domain name, in the process setting up redirects on the old domain names so all 'old' versions take visitors to the most recently used domain name, another trick to avoid getting hit by a blanket domain ban on Facebook. It appears the hoax started on news.sharedtodaytv.com and since then we've observed it on following domains:
All these domains point to the same IP address (18.104.22.168) which seems to be owned by a hosting company named LiquidWeb and which appears to point to a server in their Michigan datacenter. One of their customers is probably behind all this but it is not clear who. The image used in the sharing popup is also hosted at this IP address, at http://inspiretvdaily.com/sharewidget.png
One final trick employed by the hoaxers is in the URL they use for the Facebook share dialog. We've highlighted the important part in bold:
This causes the caption on the shared post on Facebook to look like it actually comes from Fox News:
The scammers are making money by sometimes not showing the video or the share dialog when visitors click but instead redirecting them to pages full of deceptive ads and popups. It is unclear at this time how much they walked away with but it is probably a substantial sum by now based on the amounts of likes and shares we have been seeing.