Although misinformation spread via media has always existed, it seems to have exploded in significance with the 2016 U.S. presidential elections. The dissemination of “fake news” on the internet has been weaponized to the extent that it has become a new front in cyber-warfare, with over 30 countries employing “troll farms” to fight internal opposition and destabilize other governments.
Studying the relationships between various internet artifacts can help us understand how misinformation spreads and who stands to profit from it. As a graphical link analysis tool, Maltego can help investigators visualize and understand these networks. In this blog post, we will demonstrate how to easily trace internet relationships by spidering out relevant links to a website with only a couple of Maltego Transforms.
Using the To Links [Found on web page] Transform to Trace Internet Relationships 🔗︎
With the release of the Maltego Standard Transforms, we added the To Links [Found on web page] Transform. This Transform scrapes a web page’s HTML source and returns all the URLs found in it. The resulting links can be used to discover how information (and misinformation) flows through the web.
In this tutorial, we will be using this Transform to map out the relationships of the infamous Infowars[.]com.
Starting the Network 🔗︎
To start off, we will insert the URL of the page to be investigated as a URL Entity and run the To Links [Found on web page] Transform on it.
Most of the 151 URLs returned lead to other Infowars webpages and to some domains in the Infowars network, such as prisonplanet[.]com.
Some insights can already be gleaned from these initial results. If we run the To Website [Convert] Transform on the URLs returned by the last Transform, we can group the URLs into websites and, discover which channels are frequently used to communicate with Infowars’s audience.
For example, the graph shows multiple links to videos on the site banned[.]video. Banned[.]video was founded after Infowars was banned from several social networks by its parent company, Free Speech Systems LLC.
The messaging app Telegram, the “anti-Facebook” cryptocurrency-based social network Minds, and Gab- a social network criticized for harboring a far-right userbase- are also linked to Infowars.
By selecting the Ball Size by Rank Viewlet, we can enter a Maltego graph view where the size of each Entity is based on its number of links and the sum of its neighbors’ links. The size of the Entities can then be used as a proxy for their relative importance.
Spidering Out a Few Layers to Find More Links 🔗︎
To be able to find more links to external websites and discover more relationships, we are going to run the To Links [Found on web page] Transform two more times. Since this Transform runs on URLs and not websites, we will only select the URL Entities and then run the Transform.
Running the To Links Transform again will result in a large amount of Entities being returned, which we will then want to group into websites and finally domains to visualize the relationships between the different internet Entities.
Instead of using the same Transform as before and then converting the resulting URLs to Webpages, we will use the To Website [Links on this web page] Transform for this step.
![Run the To Website [Links on this web page] Transform](/images/uploads/spider_4.png)
Conversely, if you would like to continue finding external links in the URLs for multiple iterations, it might be a good idea to filter the URLs before continuing to run the Transforms since the number of Entities returned in each step will grow exponentially.
As a small trick, freezing and then refreshing the graph will help speed up the Transforms when working with so many Entities.
Drawing Conclusions 🔗︎
Lastly, we are going to find the domains corresponding to all webpages resulting from the last step with the To Domains [DNS] Transform.
To analyze the results, we will once again select the Ball Size by Rank Viewlet.
While the Ball size by incoming links viewlet could be useful here as well (since domain Entities only have incoming and no outgoing links), the Ball Size by Rank viewlet is a better choice for our investigation. As the ranks are calculated taking into account the neighboring Entities’ links as well, it doesn’t only take into account how many Webpage Entities are linking to each domain, but also how many URL Entities are linking to each webpage.
Since webpages tend to group URLs (for example, twitter.com has over 1400 incoming links from URLs in this graph), Ball Size by Rank Viewlet should more accurately portray the degree of connections between our initial URL and the domains.
Not only interconnected webpages sharing similar ideologies (breitbart[.]com and summitnews[.]com), but also which channels they communicate through (Twitter, Youtube, various podcasting services), which technologies they employ (Cloudflare, Google tags, onesignal) and how they earn money (infowarsstores[.]com) can be explored using these transforms.
Expanding and Deepening the Investigation 🔗︎
Countless insights can be uncovered by using Maltego to analyze the connections between different parts of the internet, be it through links, matching tracking codes, DNS servers, or IPs (with our Maltego Standard Transforms), or through shared images (with TinEye Transforms). We hope this blog post served as an inspiration for your future investigations!
We would love to hear about your experience and use cases for these Transforms. Keep visiting our blog, follow our Twitter and LinkedIn pages, and subscribe to our email newsletters for more interesting walkthroughs, announcements and use cases, or to post your ideas, questions and comments.
