17 Feb 2021

Investigating Misinformation & Disinformation: Part 2

Maltego Team

In Part 1 of our Misinformation and Disinformation blog series, we talked about intent being the key differentiator between misinformation and disinformation, reasons why we not only allow but fuel the spread of “fake news”, and lastly, we gave some pointers to help you to verify whether a story is true or fake news.

We also mentioned how Maltego can be used by anyone to help investigate misinformation and disinformation. To show you how this can be done, this article will walk you through a series of steps that can be taken using Maltego to investigate a suspicious news article found on a social media post.

Misinformation & Disinformation: A Two-Part Maltego Blog Series 🔗︎

We have created a two-part blog series to raise awareness of misinformation and disinformation, and how one can conduct simple but insightful disinformation investigations with Maltego.


Investigating Fake News with Maltego Transforms 🔗︎

Fake news is not always easy to spot, much less differentiate from inaccuracies in reporting, opinion pieces, and even satirical content, which further facilitates the spread of misinformation and disinformation. The good news is that digital artifacts (IP addresses, URLs, webpages, domains, and many more) are a product of said spread, and they constitute networks of evidence that can be traced and studied.

Fake news characteristic illustration

Where Maltego Comes In 🔗︎

By allowing investigators to access OSINT and third-party data, Maltego can help map misinformation and disinformation networks and study the relationships between the different artifacts that constitute them, understand how a particular piece of fake news spreads, and potentially determine who is behind a specific campaign.

Maltego Investigation on A Suspicious News Article Found on Social Media 🔗︎

While scrolling through your social media feed, you may find posts that link to seemingly suspicious news articles. Let’s say we find such a post with a heading that looks suspicious or outlandish, we click on it and after reading the article we still have doubts about the information it presents or the reliability of the website hosting it. Time to fire up Maltego!

Maltego fake news investigation flow chart

Step 1: Perform A Phrase Search to Cast A Wide Net 🔗︎

Let’s start with a “catch all” type of query which will help us gain a general perspective of how widespread the allegations in the article are across the internet. All you need to do is drag a phrase Entity into the Maltego graph and name it with a phrase or term containing the core allegation of the article.


Now run the To Website [using Search Engine] Transform from the Phrase Entity to return websites containing the phrase you are looking for. You may use more than one Phrase Entity if, for example, you wish to search for the story across different languages.

Step 2: Extract the Website Hosting the Article 🔗︎

You will now copy the article’s URL from the search engine and paste it onto the Maltego graph. Worry not, Maltego will recognize it as a URL and adopt the corresponding Entity. You can also bookmark the Entity to help keep track of this entry point as your investigation progresses and your graph expands.

From the URL Entity, run the To Website [Convert] Transform to obtain the website hosting the article you read. The resulting Entity may form a link between it and the websites you obtained in Step 1.

We will now select the websites obtained through Step 1 and run the To URLs [show Search Engine results] Transform which will return all the web pages (URL Entities) that resulted from the query performed with the Transform used In Step 1.

An optimal result for our investigation would be a link forming between the URL we pasted at the beginning of this step and one of the resulting ones from the Transform we just ran, but this is not always the case. Given that the results of the last Transform would be those you obtain on the search engine, you may also at this point review the URLs and remove those that may not be relevant to the investigation.

Step 3: Perform Network Reconnaissance 🔗︎

We will pull some infrastructure data from our target URL to analyze its network environment. Depending on our results, we may be able to establish stronger links to other websites that either portray similar ideologies or might have themselves been victims of misinformation or a disinformation campaign.

First, we will select the Website Entity we obtained In step 2 and run the To IP Address [DNS] Transform to extract the IP address(es) resolving from the target website. Once we have retrieved the IP Address Entity(ies), we will select them and run the To Website using IP [Bing] Transform to find other websites that have been hosted on the same IP(s).

Again, at this point, the resulting website Entities may form links with those you already have on the graph, thus forming the network behind the spread of this article.

Step 4: Extract Tracking Codes and Other Technologies 🔗︎

Go back once more to the website Entity you obtained in Step 2, select it, and run the To Relationships [BuiltWith] Transform to find tracking codes from services such as Facebook Pixel, Google Analytics, Google Tag Manager, among other internet technologies. The returned Entity(ies) will be queried later on as we explore the article’s network and infrastructure.


We will now query for data related to our target URL. This will help us continue mapping out the network behind the article and uncover hidden relationships.

Firstly, we will look for URLs linked to the article, and therefore the website hosting it, by running the To Links [Found on web page] Transform on the URL Entity we pasted into the graph in Step 2. This Transform will scrape the HTML source code of the target webpage and return all external links found.

Considering the Transform might return hundreds of URLs, an efficient way to visualize the type of websites we are dealing with is to run the To Website [Convert] Transform on the resulting URLs. This way, the resulting Entities will automatically group the URLs by Website when possible.

Since the resulting URL and website Entities may help us further construct the network behind the story by presenting us with more links between them and those already on the graph, it is always important to carry out a manual analysis in order to discard any non-relevant results to our investigation.

Secondly, we will attempt to extract the external links found on the Website Entity we obtained in Step 2 by running the Mirror: External links found Transform on it. Remember that:

  1. The links will be returned as Website Entities, and
  2. Not all sites are mirror-friendly. For example, Flash-based sites and those with exotic JavaScript menus and redirects.

Lastly, we will go back to our initial URL and run the To Images [Found on web page] Transform on it. This Transform will scrape the web page for the images found in it, including those that illustrate the article itself and those that are part of suggested article links, advertisements, etc. Depending on the images extracted, the results may allow us to analyze whether other websites where the images are featured portray the same or related stories.

Step 6. Spider Out & Analyze the Article’s Network and Infrastructure 🔗︎

We will now return to the tracking codes we obtained in Step 4 by selecting the Entities that resulted from the To Relationships [BuiltWith] Transform and running the To Matches [show BuiltWith results] Transform.

Given that a tracking code is assigned to a specific customer, obtaining other websites may indicate that they belong to the same individual or organization, or that the account behind the tracking codes has been compromised and is being used for different websites without authorization.

To continue, we will look at the thumbnails from the images we obtained in Step 5 and select the ones that may be useful, which would usually be somewhat unique images (outlandish, possibly manipulated, memes, etc.).

Once you have found images you consider useful, run the Search for pages linking to similar images [TinEye] Transform. The resulting backlinks will allow us to further understand the network behind the article. In case we obtained many results, it is always recommended to run the To Website [Convert] Transform to see how the URLs group.


It is time to spider out the network! At this point, you may re-run the To Links [Found on web page] Transform on the URL Entities obtained in Step 5 several times, but remember to analyze the URLs returned before each new run in a similar way as the one portrayed here. You may also take the relevant URLs you obtained on step 2 and query them the same way you did the target URL.


Investigating Disinformation Campaigns: What to Watch Out For 🔗︎

Networks behind webpages can quickly become densely populated, which is why it is always important to review the results obtained after running Transforms and discard any Entities that may not be relevant to the overall investigation. For example, after extracting images or links from a web page, you may wind up with data from paid advertisements completely unrelated to your investigation.

It is also important to pay attention to any links pointing out forums or social media targeting fringe political and ideological views and theories since they might give away the intent behind the website sharing the article as well as the reader segment it is targeting.

Similarly, if our target article is one in which a specific product, brand, or organization is being questioned or attacked, it is then important to keep an eye out for links that might point to specific groups or competitors which might indicate a potential smearing campaign designed to affect the opponent’s reputation or financial standing.

Similar websites linked by IP addresses or tracking codes will help you build out the network behind your target web page, they will also help you understand if the content’s spread across geographies or demographics was fueled by more than algorithms.

How to Further Extend Your Investigation 🔗︎

Remember that the Transforms represented on the flow chart are only a selection of our freely available data sources. There are many more that can be used to pivot and dive deeper into disinformation networks.

For example, using Transforms from data partners with identification capabilities and social media data such as Pipl or Social Links will help you trace the spread of a story across groups and forums, and pinpoint influential users that may be acting as gatekeepers or information.

Download this infographic and the investigative flowchart to share with your teams and colleagues!

Mitigate Disinformation Campaigns Ahead of Elections 🔗︎

As your next step, you can watch the deep-dive session with our SMEs where they explore strategies for monitoring the spread of disinformation and present solutions to tackle some of the electoral challenges of this day and age using Maltego.

Watch now!

Download the resource

DE +49
Albania +355
Algeria +213
Andorra +376
Angola +244
Anguilla +1264
Antigua And Barbuda +1268
Argentina +54
Armenia +374
Aruba +297
Australia +61
Austria +43
Azerbaijan +994
Bahamas +1242
Bahrain +973
Bangladesh +880
Barbados +1246
Belarus +375
Belgium +32
Belize +501
Benin +229
Bermuda +1441
Bhutan +975
Bolivia +591
Bosnia and Herzegovina +387
Botswana +267
Brazil +55
Brunei Darussalam +673
Bulgaria +359
Burkina Faso +226
Burundi +257
Cambodia +855
Cameroon +237
Canada +1
Cape Verde +238
Cayman Islands +1345
Central African Republic +236
Chile +56
China +86
Cote d'Ivoire +225
Colombia +57
Comoros +269
Congo +242
Cook Islands +682
Costa Rica +506
Croatia +385
Cuba +53
Cyprus +90392
Czech Republic +42
Denmark +45
Djibouti +253
Dominica +1809
Dominican Republic +1809
Ecuador +593
Egypt +20
El Salvador +503
Equatorial Guinea +240
Eritrea +291
Estonia +372
Ethiopia +251
Falkland Islands (Malvinas) +500
Faroe Islands +298
Fiji +679
Finland +358
France +33
French Guiana +594
French Polynesia +689
Gabon +241
Gambia +220
Georgia +7880
Germany +49
Ghana +233
Gibraltar +350
Greece +30
Greenland +299
Grenada +1473
Guadeloupe +590
Guam +671
Guatemala +502
Guinea +224
Guinea-Bissau +245
Guyana +592
Haiti +509
Honduras +504
Hong Kong +852
Hungary +36
Iceland +354
India +91
Indonesia +62
Iran, Islamic Republic of +98
Iraq +964
Ireland +353
Israel +972
Italy +39
Jamaica +1876
Japan +81
Jordan +962
Kazakhstan +7
Kenya +254
Kiribati +686
Korea, Democratic People's Republic of +850
Korea, Republic of +82
Kuwait +965
Kyrgyzstan +996
Lao People's Democratic Republic +856
Latvia +371
Lebanon +961
Lesotho +266
Liberia +231
Libyan Arab Jamahiriya +218
Liechtenstein +417
Lithuania +370
Luxembourg +352
Macao +853
Macedonia, the former Yugoslav Republic of +389
Madagascar +261
Malawi +265
Malaysia +60
Maldives +960
Mali +223
Malta +356
Marshall Islands +692
Martinique +596
Mauritania +222
Mauritius +230
Mayotte +269
Mexico +52
Micronesia, Federated States of +691
Moldova, Republic of +373
Monaco +377
Mongolia +976
Montserrat +1664
Morocco +212
Mozambique +258
Myanmar +95
Namibia +264
Nauru +674
Nepal +977
Netherlands +31
New Caledonia +687
New Zealand +64
Nicaragua +505
Niger +227
Nigeria +234
Niue +683
Norfolk Island +672
Northern Mariana Islands +670
Norway +47
Oman +968
Pakistan +92
Palau +680
Panama +507
Papua New Guinea +675
Paraguay +595
Peru +51
Philippines +63
Poland +48
Portugal +351
Puerto Rico +1787
Qatar +974
Reunion +262
Romania +40
Russian Federation +7
Rwanda +250
San Marino +378
Sao Tome and Principe +239
Saudi Arabia +966
Senegal +221
Serbia +381
Seychelles +248
Sierra Leone +232
Singapore +65
Slovakia +421
Slovenia +386
Solomon Islands +677
Somalia +252
South Africa +27
Spain +34
Sri Lanka +94
Saint Helena +290
Saint Kitts and Nevis +1869
Saint Lucia +1758
Sudan +249
Suriname +597
Swaziland +268
Sweden +46
Switzerland +41
Syrian Arab Republic +963
Taiwan +886
Tajikistan +7
Thailand +66
Togo +228
Tonga +676
Trinidad and Tobago +1868
Tunisia +216
Turkey +90
Turkmenistan +993
Turks and Caicos Islands +1649
Tuvalu +688
Uganda +256
United Kingdom +44
Ukraine +380
United Arab Emirates +971
Uruguay +598
United States +1
Uzbekistan +7
Vanuatu +678
Holy See (Vatican City State) +379
Venezuela +58
Viet Nam +84
Virgin Islands, British +84
Virgin Islands, U.S. +84
Wallis and Futuna +681
Yemen +967
Zambia +260
Zimbabwe +263

By clicking on "Access", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.

Don’t forget to follow us on Twitter and LinkedIn or subscribe to our email newsletter to stay tuned for more use cases, product, and Transform updates.

Happy investigating!

By clicking on "Subscribe", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.