Support amaB. Support democracy. Amabhungane

  • EXCLUSIVE: Indian IT guru linked to fake WMC sites

    The sites appear to be South African and focus almost exclusively on attacking legitimate news sources.

    The sites appear to be South African and focus almost exclusively on attacking legitimate news sources.

Several disinformation websites registered this year to promote the "white monopoly capital" (WMC) narrative have been traced to a web design and online reputation management company in India.

News24 has succeeded in puncturing layers of protection to unmask the identity of a web design company that has left its fingerprints in the codes of these websites.

The sites appear to be South African and focus almost exclusively on attacking legitimate news sources like News24, Eyewitness News, Business Day and amaBhungane, and attempt to link investigative reporting on the Gupta leaks to the Rupert and Oppenheimer families.

Their articles are of poor quality and written as if the writers are based in South Africa.

The company linked to some of these sites is CNET Infosystem, which provides international web design, online reputation management and blogging services and is headquartered in Noida, Uttar Pradesh. CNET’s chief executive and co-founder is Kapil Garg.

The Guptas have denied any relationship with CNET or Garg, but there are a number of curious connections between the family and the Indian firm:

  •  Uttar Pradesh is the same state the Gupta family’s hometown of Saharanpur, which is 200km away from Noida, falls under;
  • The Gupta leaks show that the family owns a company called SAS Technologies that has an office in Noida, and own property in the city. When Duduzane Zuma, the president’s son and Gupta business partner, applied for a business visa to India in 2014, he gave the address of a guest house in Noida as his residence;
  •  Garg earlier this month registered two websites via his own email account: atulgupta.info and ajaygupta.info.
  •  On June 29, Garg, who lives almost 9 000km away from South Africa, liked a post by WMC Scams on Facebook about Mining Minister Mosebenzi Zwane’s launch of the controversial new mining charter.


Kapil Garg. (Facebook)

Despite registering two websites in the names of the oldest (Ajay) and middle (Atul) Gupta brothers, Gupta family spokesperson Gary Naidoo denied any links to Garg and his company.

"We have no relationship with the mentioned company or any of these websites. Both Atul Gupta and Ajay Gupta are very common names in India," Naidoo said in an email.

The site atulgupta.info has a promising title: "The Truth About Atul Gupta is Here Now". But the two sites contain only filler text lifted from other websites, bogus contact details and stock photos.

Garg did not respond to several requests for comment via email or WhatsApp.

In total, ten websites promoting the idea that a clique of white monopoly capitalists have gained control of South Africa, have been registered and online since April this year.

They have published hundreds of anonymous articles denigrating Deputy President Cyril Ramaphosa, journalists, opposition parties and ANC politicians who have spoken out against the politically-connected Gupta family, President Jacob Zuma or his entourage.

While website creators can mask who registered a website by making use of privacy services, various online investigative tools can help find whether the hidden administrators left any fingerprints behind that hint at their identities.

In the case of six of the ten WMC websites, a trail of fingerprints leads to CNET Infosystem and Garg.

Linking the website ring

On April 28, almost a month after Zuma axed finance minister Pravin Gordhan from his Cabinet, two websites were registered via domain privacy protection services: wmcleaks.com and wmcscams.com.

Nobody, except for the Guptas and Zuma loyalists, are above being fingered as stooges and agents of white monopoly capital by the anonymous writers on these platforms.

Once a website is registered, a quick internet search will usually reveal its owner and administrator’s name, address, phone number and email, or what is known as the site’s WHOIS data.

If the website has been registered via a proxy or privacy service, however, this data is hidden. In this case, only the site’s registrar has access to it.

These two websites used the services PrivacyProtect.org and Whoisguard to cloak the names of their owners and creators, but they could have chosen from dozens of alternatives. All these services advertise themselves as a way to stop spammers and telemarketers hoovering up your personal information.

All the same, the effect is that by using such privacy protection services, anyone can cloak their identities online.

In May, the site dodgysaministers.com was privately registered along the same format with the same apparent agenda of promoting the theory of WMC.

In June, seven more sites were registered: wmc-scams.com, whitemonopolyafrica.com, whitemonopoly.com, fakeguptaleaks.com, publicopinion.co.za, southafricabuzz.co.za and whitemonopolycapital.com.

To view graphic at full size click hereGraphic by Justin Seitz.

Of the sites registered in June, five had privacy guards and two were registered to someone called "Adebola Adeniyi". Adeniyi registered publicopinion.co.za and southafricabuzz.co.za on July 8 this year.

But the WHOIS registration details for both sites – which must, by law, include billing, registrant, technical and administrative information - appear false. He gave different registration details for both sites, but neither make much sense. The phone numbers he provided are a digit short. He did not respond to emails.

An Indian connection

While the owners, administrators, and writers of articles on the websites were hidden, there were indications that at least some of the content was being produced in India.

Online analytics platform Alexa provides profiles of any website’s traffic statistics. It showed that, on June 26, 100% of visitors to the sites southafricabuzz.co.za and wmc-scams.com were from India.

Three weeks later, these statistics hadn’t changed. In fact, all sites except for wmcleaks.com and whitemonopoly.com received most of their visitors from India.

The ten sites were all linked to Twitter accounts, which tweeted links to articles supportive of the Gupta family and Zuma, and shared derisive memes and images of journalists, politicians and civil society leaders "captured" by WMC.

These are, in turn, retweeted by an army of bot accounts. A concerted push by journalists to report these profiles for flouting Twitter’s rules (harassment, hateful contact and multiple account abuse may all result in suspension) resulted in many of them being shut down. Some mushroomed up again under new handles, however.

The Twitter and Facebook profiles they are linked to were set up by nameless registrants.

Tracking them down

The creators of the sites tried their best to remain hidden. But they did want to know how many people were clicking on their articles.

And for that reason, they left two types of unique identifying fingerprints in the source code of the websites - that of Google Analytics IDs and Google Adsense codes.

As open source analyst Lawrence Alexander wrote in his examination of a pro-Russian ring of websites in late 2015: "Google Analytics (is) a commonly used online analytics tool that allows a website owner to gather statistics on visitors, such as their country, browser, and operating system. For convenience, multiple sites can be managed under a single Google Analytics account. This account has a unique identifying 'UA' number, contained in the Analytics script embedded in the website's code."

Searching the source code of the ten websites showed that six of them shared the same Google Analytics ID (UA-101199457), meaning they were being run by the same person or group. Three had unique accounts, and one site had no account.

This showed that six of the websites were linked. Google doesn't give out information on who the owners of analytics codes are. But they are a useful tool to start connecting a stable of websites.

More useful for this investigation were the Adsense IDs.

Five of the websites - wmc-scams.com, whitemonopolyafrica.com, publicopinion.co.za, southafricabuzz.co.za and whitemonopolycapital.com - used the same Google Adsense ID.

This means all the sites are hosting advertisements (and earning money) from the same owner of a Google Adsense account.

Internet users can "reverse search" these Analytics and Adsense IDs to tie them to more websites.

A reverse search of the Google Adsense ID (pub-8264869885899896) brought up 15 sites that share the same Google Adsense ID as the sites wmc-scams.com, whitemonopolyafrica.com, www.publicopinion.co.za and southafricabuzz.co.za and whitemonopolycapital.com.

In short, the same person that was earning money from the propaganda sites was, at some stage, earning money from the 15 other websites, with names like societyindia.com and freeastrologypoint.com.

Deep links

Four of these 15 domains were privacy protected. One was registered to an individual and the registration of four sites had expired.

But six of the sites showed a common registrant - Kapil Garg of CNET Infosystems, a "total technology solutions provider" from Noida, in Uttar Pradesh, India.

And of the four sites whose registrations had lapsed, all had previously been registered to Garg before expiring.

According to his LinkedIn profile, Garg is the chief executive of CNET Infosystems.

"My aim is not to just create web pages and promote, but also to help people to generate revenue and have branding as well," states his profile.

Garg is also listed as the website registrant of the business ORM Dubai, an online reputation management firm headquartered in the Dubai Silicon Oasis. The same address and phone number is given as the Dubai office of CNET Infosystems on its website.

CNET Infosystems and Kapil Garg did not reply to email, Facebook messenger and WhatsApp requests, sent over three weeks, for comment about why the Google Adsense IDs linked to the company had appeared on the propaganda websites. WhatsApps went unanswered, although blue ticks showed he did read the messages.

After News24 sent the requests, the sites southafricabuzz.co.za and wmc-scams.co.za deleted their Google Adsense IDs. The site whitemonopolycapital.com also deleted its ID, but it is not clear when this happened.

This means these sites can no longer receive advertising revenue. The site whitemonopolyafrica.com was suspended after its email couldn’t be verified. The site publicopinion.co.za, however, still has its Google Adsense code.

Online fingerprints

Two more online fingerprints link Kapil Garg and CNET Infosystems to the websites.

Garg is quite active on social media. On June 29, he liked a post about Zwane and the mining charter on the Facebook site "WMC Puppets". The site is linked to the website www.wmc-scams.com

At the time, the Facebook site was quite unpopular. When Garg liked the link to an article on the page, he was one of only two people to have liked anything on the site. The other person, Andrew Norton, appears to be a Facebook bot account.

In addition, five likes on Garg’s official Twitter profile are of posts critical of WMC, including a post by @aluamose that reads: "Waits for twisted and media reports that will mislead & say that WMCLeaks are created by Gupta’s and blabla, Reason they get paid from #WMC."

His first "like" was on June 13, a day before seven of the propaganda sites were registered.

  • News24 would like to thank security researcher and coder Justin Seitz for his help in evaluating the websites and reviewing the links between them, as well as the team at the online investigative website Bellingcat for their help and advice with this investigation.


SUBSCRIBE TO US

LIKE US

FOLLOW US