The phenomenon of 'fake news' factories gained momentum and became internationally known in 2016, when a small town in North Macedonia became one of the epicenters of the production of digital disinformation during the US presidential election.
At that time, young local people discovered that they could generate huge profits through Google AdSense by creating websites with fabricated and sensational news, mostly pro-Donald Trump, which went viral on Facebook. The news had no political agenda, but simply financial purpose.
The 2016 episode appears to have left behind a ‘business model’ in North Macedonia that, although it has changed form, continues to rely on fake news or clickbait headlines. BIRN found over 25 Facebook pages, with branches on YouTube and TikTok, which use “Affiliate Marketing Scams” (deceiving consumers through intermediaries) to sell “medicines” or collect clicks, controlled from North Macedonia. Most of the pages target Albanian-speaking readers, although some of them publish in English.
“Affiliate Marketing Scams” is a form of cybercrime where fraudsters abuse the legitimate marketing model to make money dishonestly. Detailed analysis of Facebook transparency data and page source code reveals a sophisticated network.
For cybersecurity and mass media experts, these structures are quite dangerous; they simultaneously violate the privacy of victims, their wallets, but also the public's trust in serious media.
Bardhyl Jashari, executive director of the Metamorphosis Foundation in North Macedonia – a media organization that promotes human rights online, told BIRN that the concrete consequences of these platforms included the degradation of “the standard of information and the role of the media in a democratic society”.
"When people realize they have been deceived by a 'patriotic' site, they become cynical even towards serious media," said Jashari.
Security expert Besmir Semanaj says the amount of information these sites collect is worrying.
“These proxy servers analyze the visitor's device, location, click source, and behavior in real time to understand whether it is a real user or a platform control system,” he notes.
Fraud network
Data obtained by BIRN from around 25 Facebook pages shows that this disinformation ecosystem is not sporadic. It is managed by a structured group of administrators based in North Macedonia and in some cases with partners in Italy, Germany, Vietnam or the US.
Two of the sites, “Albanian Media” and “Live News”, feature a hybrid collaboration model with two administrators in Macedonia and one in Italy.
This structure suggests using EU locations to give the page credibility to Facebook’s algorithms and ad networks, while the real operation is carried out from the Balkans. Meanwhile, three clone pages called “Usa Story” are managed by people in North Macedonia, Kosovo and the US. These pages publish mainly in English on Facebook, but if you follow the links and dig into the website, you will also find posts in Albanian in the same model.
Regardless of the name and main language, these sites publish material and connect readers to a group of 5-6 links that redirect to pages where advertisements for medicines are found. Based on the links that are offered to readers to click, the identified sites are divided into 3 groups that appear to operate separately.
The first group, which publishes on YouTube under the name "Jetë & Stil", uses pages like "Mergimi Shqiptar" and "Gazeta Insajd" to direct the audience to the portal lifestories99.com and the YouTube channel based in Germany, under the management of 6-7 administrators.
The most massive group, “TimeforLon”, mobilizes numerous websites such as Lajm24, Mesazhi and Gazeta Zëri to distribute links to miimall.com and bilgiliyor.com, as well as the YouTube channel “Timeforlon” in the US, employing teams of 4-8 people for each website, all in North Macedonia.
Finally, the group “Viral Stories” operates through “Albanian Media” to feed viralstories.com. This group’s pages are also managed in North Macedonia.
Analysis of the code of the websites to which the social media posts lead shows that the ultimate goal is links selling miracle cures at bargain prices. The pages to which the traffic is directed are filled with fake doctor testimonials.
Their concentration in North Macedonia, according to Jashari, is a consequence of the experience created and the complexity of the cases, where despite the penal legislation for cybercrime, criminal prosecution is difficult.
“So the legal vacuum here is often not a total lack of laws, but an uncovered area, where the audience and the harm are abroad,” he said.
According to him, this situation leaves it unclear who is responsible, creating a "paradise" for this activity.
"So, 'paradise' is not because everything here is free and without rules. 'Paradise' is because this combination, low cost, established experience, international networks, and difficult enforcement of laws, makes the risk relatively low, while the profit relatively high," he said.
Technical sophistication
The pages in question use almost the same images and the same methods. The source code of the pages shows the presence of aggressive ad trackers, such as adstrktrk3.top, which serve to redirect users or record fake clicks.
Webfaqet përdorin kryesisht platformën WordPress e kamufluar me një dizajn gjenerik të një blogu dhe në shumicë janë aktive prej vetëm pak muajsh. Ky grup identifikohet si Portali Aurora dhe përdor kryesisht faqe Facebook që duket sikur merren me informacion, përfshi kopjimin e titujve të njohur si Koha Ditore.
Eksperti i sigurisë, Besmir Semanaj i tha BIRN se faqet edhe pse në dukje të thjeshta kanë një nivel të lartë sofistikimi, që nga një anë synon të mashtrojë platformat si Facebook për të ndaluar bllokimin, dhe në anën tjetër, synon mashtrimin e individëve që bien pre e reklamave. “Kodi i rrezikshëm shpesh është i integruar përmes plugin-eve të modifikuara, skripteve JavaScript të obfuskuara ose rregullave të ridrejtimit në server, të cilat aktivizohen vetëm për segmente të caktuara vizitorësh”, thotë Semanaj.
Sipas tij, sofistikimi nuk qëndron te dizajni apo përmbajtja vizuale “por te aftësia për të kontrolluar dhe manipuluar trafikun, për të ndryshuar shpejt domenet dhe për të fshehur sjelljen reale të faqes nga platformat monitoruese”.
Semanaj thotë shpërndarja e adminëve në disa vende dhe përfshirja në faqe e adminëve nga vende të BE-së shërben si një mekanizëm maskimi teknik dhe operacional.
“Duke përdorur IP, llogari dhe akses nga vende të ndryshme, rrjeti krijon përshtypjen e një strukture legjitime ndërkombëtare”, tha ai.
Internacionalizimi është edhe sipas Jasharit, një prej elementëve që u mundëson përfituesve pas këtyre faqeve të fshihen.
“Kjo krijon mjegull: kur diçka shkon keq, është e vështirë të thuash shpejt kush është përgjegjës, a është kompania në SHBA, operuesit në Maqedoninë e Veriut, partnerët apo shërbimet ndërmjetëse”, tha ai.
Faqe të blera apo vjedhura
Ky rrjet i identifikuar nuk investon në prodhime mediatike dhe as në rritjen e ndjekësve përmes materialeve të publikuara; ai ka investuar në blerjen e audiencave të gatshme apo ndryshim destinacioni të faqeve të krijuara më herët, kryesisht me motive fetare apo për të shpërndarë meme.
Faqja që sot njihet si “Gazeta Zëri” me 45,000 ndjekës, e nisi jetën në vitin 2016 si “Musliman Elhamdulilah”. Pasi mblodhi mijëra besimtarë, ajo u transformua në “Ramazani Muaji i Bekuar”, më pas në “Video Interesante”, për të përfunduar sot si një portal lajmesh që ushqen faqet e reklamave. E njëjta histori është pas faqes me emrin “Mesazhi”.
Personat pas këtyre faqeve nuk kanë paragjykime fetare. Një ndër faqet është “I Belong to Jesus”; ajo publikon në anglisht kryesisht “drama” fiktive, shoqëruar me video të prodhuara me inteligjencë artificiale dhe, ironikisht, lajme të rreme për zgjedhjet e vitit 2016 në SHBA. Ndërkohë, në raste të tjera faqet janë marrë apo rrëmbyer nga përdorues në Azi. Faqja “Live News” u krijua fillimisht në Bangladesh si një faqe shkolle, para se të kthehej në një mjet propagande për audiencën shqiptare.
The “Lajm24” page with 77,000 followers began its journey bearing the name of drug trafficker “Pablo Escobar,” before becoming an “information” source. The pages have changed URL addresses where advertisements are placed several times.
For Semanaj, this practice is also part of technical camouflage.
"So-called 'zombie' pages and accounts usually have a legitimate previous history, such as abandoned portals or pages originally created for entirely different purposes, often in Asia," he said.
For his part, researcher Erlis Çela points out that using pages that previously had legitimate content makes it much more difficult for the reader to identify the fraud.
"Following (a page) is often linked to habits and behaviors that we as an audience create in relation to media and information consumption and not to verification as a preventive behavior against disinformation," Çela said.
According to him, people follow a page and trust it because they have been following it for a long time, but when it changes name and habits, it is difficult to distinguish from a part of the audience.
"When a news site changes its name and mission, part of the audience is unable to recognize the change," said Çela, adding that trust is mistakenly transferred to the information channel Facebook, Instagram or other channels.
Jashari also emphasizes this.
"This tactic is among the most dangerous, because it turns faith, especially religious or patriotic faith, into fertile ground and infrastructure for manipulation. The moment a legacy site with a "ready" audience changes ownership or orientation, the public does not realize that they are consuming a completely different product," he said.
Meanwhile, in addition to Facebook and the Web, the scheme has also been extended to YouTube and TikTok to maximize profits. For example, the “Media Shqiptare” page promotes the @LEIDSSTORY channel, which has over 21 thousand subscribers and nearly 10 million views with a declared location in North Macedonia./Reporter.al
