You may have noticed that a few media outlets have been reporting that a fake BBC website was setup to spread disinformation regarding the recent Charlie Hebdo attacks in Paris, France.On January 12, 2015 our advanced threat protection flagged the bbc-news[.]co[.]uk domain as a suspicious site. While we can’t say definitively what the motives are of the operators are, it is apparent that they are untrustworthy and potentially nefarious. The predictive classification that we used to identify and flag the site is showing the attack is very similar to former incidents that malicious actors have used in the past like the Boston Marathon malware incidents.

This post will highlight the OpenDNS Security Labs analysis of the campaign and its indicators.

Key Insights

  • Fake BBC themed website launch using bbc-news[.]co[.]uk domain
  • Social media enlisted to spread disinformation to draw visitors
  • A 16.5x spike in normal DNS queries to the website
  • Website had external links to State-sponsored (Iranian) media outlet
  • Prominent American economist and columnist enlisted to lend credibility to disinformation

The Domain

A news site getting a surge in traffic is not that uncommon. For example, a breaking story may have been released. However, in this case the circumstances were a bit more interesting. The website in question had no traffic prior to December 28, 2014 and was not affiliated with the main BBC website.

image05

Some further investigation on the IP hosting the website and the domain registration info (via WHOIS) made it apparent it had no relation to the actual BBC website. What had caught our attention was the jump from around 250 requests per hour to suddenly 3500 requests (16.5x increase). We speculated that the jump in traffic was probably caused by a popular webpage hosting a link to the fake website.

The website, bbc-news[.]co[.]uk, was registered on December 28, 2014 with 1 & 1 Internet AG by “Michael Jones”. The domain has changed hands at least once, having previously been owned by an individual using the name “Keith Szlamp” until its expiration on June 9, 2012. The following table shows the historical DNS record types associated with the bbc-news[.]co[.]uk domain.

Element

First Seen

Last Seen

Type

ns1.parked.com

9/22/10 00:06:51

3/13/12 16:50:27

NS

ns2.parked.com

9/22/10 00:06:51

3/13/12 16:50:27

NS

74.117.115.102

2/10/11 00:00:50

6/13/11 18:10:47

A

74.117.114.92

8/30/11 01:37:59

9/12/11 17:08:32

A

mx00.1and1.co.uk

12/28/14 12:22:20

12/28/14 12:22:20

MX

mx01.1and1.co.uk

12/28/14 12:22:20

12/28/14 12:22:20

MX

217.160.44.112

12/28/14 12:38:05

12/28/14 12:38:05

A

mail3.eqx.gridhost.co.uk

12/28/14 16:22:52

1/12/15 15:09:38

MX

185.24.99.98

12/29/14 00:55:46

1/9/15 21:33:18

A

ns1.tsohost.co.uk. support.tsohost.co.uk. 1419768683 10800 3600 604800 3600

12/31/14 23:54:09

1/8/15 18:16:25

SOA

ns1.tsohost.co.uk

1/3/15 07:22:16

1/6/15 18:58:59

NS

ns2.tsohost.co.uk

1/3/15 07:22:16

1/6/15 18:58:59

NS

ns1.atspace.me. hostmaster.atspace.me. 2015010801 10800 3600 1209600 7200

1/8/15 11:23:07

1/10/15 14:44:54

SOA

cash.ns.cloudflare.com. dns.cloudflare.com. 2017246806 10000 2400 604800 3600

1/9/15 11:46:55

1/9/15 20:50:56

SOA

104.28.2.91

1/9/15 11:46:55

1/12/15 20:27:02

A

104.28.3.91

1/9/15 11:46:55

1/12/15 20:27:02

A

2400:cb00:2048:1::681c:25b

1/11/15 05:38:25

1/12/15 22:12:51

AAAA

2400:cb00:2048:1::681c:35b

1/11/15 05:38:25

1/12/15 22:12:51

AAAA

cash.ns.cloudflare.com

1/12/15 15:07:02

1/12/15 15:07:02

NS

demi.ns.cloudflare.com

1/12/15 15:07:02

1/12/15 15:07:02

NS

82.197.130.234

1/12/15 22:51:24

1/12/15 22:51:24

A

cash.ns.cloudflare.com. dns.cloudflare.com. 2017276962 10000 2400 604800 3600

1/12/15 22:51:24

1/12/15 22:51:24

SOA

Using the freely available tools we were able to decipher the real IP address of the server. The IP address is associated with AS198047 and belongs to UK Webhosting Ltd. (t/a Tsohost) of 113-114 Buckingham Avenue, Slough, Berkshire, England – a brand owned by Paragon Internet Group.

image10

The domain registrant’s name, Michael Jones, could also be a misdirect. Jones remains the most popular surname in Wales, borne by 5.75% of the population. The registrant’s given name, Michael, is also a very common name throughout the world. A quick search for michael jones” uk OR wales OR scotland OR england on Google shows around 440,000 results.

Based on available information the website doesn’t appear to be malicious but the intent to deceive and perhaps harm visitors via unscrupulous file downloads or through click-fraud is a logical conclusion to draw.

Three observations reinforce said conclusion.

News of U.K. Citizen Apprehended in the Middle East on “Terror Charges”

A quick search on Twitter for bbc-new[.]co[.]uk showed us that the first mention of the domain was in relation to two Tweets on December 31, 2014 claiming that a “U.K. YouTuber” was apprehended in the Middle East on Terror Charges.

image07

We were unable to corroborate this story and found no reference to the event in question. As there was no favoriting or retweeting of the stories, this might indicate a “trial run” of the campaign.

The Promise of a Cicada 3301 Clue

Between January 2 and January 10, 2015, we began to see Tweets stating that a Cicada 3301 clue would be announced:

image12

Some even speculated that the clue was located in the comments section of the post:

image00

The Cicada 3301 puzzle has been called “the most elaborate and mysterious puzzle of the internet age” by Metro, and is listed as one of the “Top 5 eeriest, unsolved mysteries of the Internet” by The Washington Post. The first Internet puzzle started on January 5, 2012, and ran for approximately one month. A second round began one year later on January 5, 2013, and a third round is ongoing following confirmation of a fresh clue posted on Twitter on January 5, 2014. The stated intent was to recruit “intelligent individuals” by presenting a series of puzzles which were to be solved, each in order, to find the next.

Given the date that these Tweets began, the owner of the bbc-news[.]co[.]uk site likely counted on a flood of puzzle-playing people just waiting for another clue.

News Regarding The Authenticity of Charlie Hebdo Footage

Examining the co-occurrences with bbc-news[.]co[.]uk gave us additional direction. Reddit.com had a high co-occurrence score with the domain. The most recent post was to a provocative headline regarding the Charlie Hebdo case.

image14

At the time of this writing the submitter of all 3 posts have been deleted.

As the site is now offline, only the cached version remains (http://webcache.googleusercontent.com/search?q=cache:WfWMrmqES58J:bbc-news.co.uk/doubts-raised-over-authenticity-of-charlie-hebdo-footage/+&cd=1&hl=en&ct=clnk&gl=ca&client=firefox-a). When the site was live it looked indistinguishable from the legitimate bbc.co.uk website but the Google cached version has removed the stolen look and feel (as seen below).

image13

The article on the website read as follows:

Doubts raised over authenticity of Charlie Hebdo footage.

According to analysts, it appears that the footage was recorded over two takes, evidenced by a placement marker that appears by the front left wheel of the vehicle as the gunmen return from apparently gunning down a wounded Gendarme.

The killing of the french policeman is also being called into question, due to the ‘lack of blood spatter consistent with that of a close range shooting’.

As shown in the freeze frame below [no longer available], smoke is shown to emit from the weapon, with no impact or trauma appearing to register on the body of the victim. The decision of many news outlets to blur out the victim is being debated as evidence of complicity in what many are now calling a hoax.

Forensic and ballistics expert David Mayhew commented; “If the video shows events as they actually occurred, then in my opinion it is most likely that the firearm shown is discharging blanks rather than conventional ammunition”.

Whilst numerous theories have sprung up concerning this and other details, the general consensus among not just sceptics, but some major news agencies, is that the entire event was a ‘False Flag’ attack perpetrated by the CIA and/or Mossad in a “psy-ops” exercise to rouse hatred against Islam and support for what has been so far, a failing campaign in Iraq, Syria and the Middle East.

The article also links to an Islamic Republic of Iran Broadcasting (IRIB) operated Press TV interview with Dr. Paul Craig Roberts, former Assistant Secretary of the Treasury in the Reagan Administration and associate editor of the Wall Street Journal. In the article, Dr. Roberts states that the attack in Paris was a false flag operation “designed to shore up France’s vassal status to Washington.

Interesting factoid, in 1987 the French government recognized Dr. Roberts as “the artisan of a renewal in economic science and policy after half a century of state interventionism”; it inducted him into the Legion of Honor on March 20, 1987. The French Minister of Economics and Finance, Edouard Balladur, even came to the US from France to present the medal to Roberts. We find ourselves wondering if the French government will be requesting its return in the near future.

Who Connected To The Website?

Analyzing a 60 minute window between 15:00 UTC and 16:00 UTC on January 12, 2015 showed 1,491 unique client IP addresses that accessed the website via the OpenDNS infrastructure. The client IPs represent a massively distributed query base with an unsurprisingly high number of queries from clients in and around France.

image02

Utilizing OpenGraphiti (www.opengraphiti.com), OpenDNS Investigate, and a depth circle layout, we can see a defined circle representing the client IP addresses. We can also see the connections between the IP addresses and ASNs (showing a high connection rate from ISPs in France and the United States).

image06

How Did They Find The Site?

As a result of placing the bbc-news[.]co[.]uk domain into our sinkhole, we were able to analyze the referrers that directed the clients to the domain. The list of 58 referrers observed between January 12, 2015 20:39:55 and January 13, 2015 04:28:14 UTC can be found at the end of this document.

During that time period we observed 2,300 distinct queries for the bbc-news[.]co[.]uk as depicted in the following Kibana dashboard:

image08

The Charlie Hebdo events in France, however, likely represented the most successful way to bait information seeking Internet users. Based on the HTTP referrers it wasn’t long before blogs and popular social media sites (like Facebook) began linking to the fake site, as seen below.

image11

Reddit.com, as indicated previously, also provided a number of referrers and was mentioned across multiple posts.

image09

It should be noted that the timing of the Reddit.com postings preceded the spike in query traffic by roughly 20hrs.

The OpenDNS Investigate co-occurrences shows a number of Jihadi and ISIS-related websites referring to the bbc-news[.]co[.]uk site.

image03

Conclusions

While we can’t say definitively what the motives are of the operators are, it is apparent that they are untrustworthy and potentially nefarious. The predictive classification that we used to identify and flag the site is showing the attack is very similar to former incidents that malicious actors have used in the past like the Boston Marathon malware incidents.

Though we cannot conclude that the threat actor’s intent was malicious, it was almost certainly employed to plant “false flags” and drive traffic to the bbc-news[.]co[.]uk website. In a corporate environment, had one or two queries to the domain been noticed, the majority of individuals would likely have thought nothing of it. The domain name did not read as malicious and it aligned with the BBC look and feel. Only after the traffic is compared to a larger population, like the 50m+ customers using the OpenDNS infrastructure, could it be noticed that the site traffic trended higher than usual – a potential indicator of compromise (IOC).

So who is/was the threat actor and what is/was their goal?

The use of social media (namely Twitter and Reddit) to spread the 3 distinct enticements – the “Youtuber terror threat” false flag, the release of a Cicada 3301 clue, and the Charlie Hebdo false flag – indicates a reasonable knowledge of the Internet, SEO-like traffic generation techniques, and current events.

The Cicada 3301 clues have typically been released on January 5 in years past so that part of the campaign was, if anything, timely. Could this have been an elaborate ploy to provide a valid clue to the game? Unlikely. Why would the “Cicada 3301 organization” utilize a fake news site to communicate the clue? The risk for brand pollution and subsequent legal action are far too great, in our opinion, to warrant such tactics. Also, the Cicada organization would probably not wish to align itself with such controversial disinformation or political polarization.

As mentioned however, the Charlie Hebdo events in France likely represented the most successful way to bait information seeking Internet users. Based on the HTTP referrers it wasn’t long before blogs and popular social media sites (like Facebook and Reddit) began linking to the fake site.

The campaign also does not appear to target any individual, group, or geopolitical region. The use of relevant news indicates that a broad net was cast in an effort to draw as many individuals from social media and other sources to the site.

One might conclude that, given the recent events surrounding Charlie Hebdo in Paris, the posting of disinformation on the bbc-news[.]co[.]uk site, and links to an Iranian state-sponsored news agency corroborating the same disinformation, that this was a State-executed, State-ordered, State-integrated, or State-rogue-conducted activity backed by Iran. Given all available information, however, this conclusion might be as inflammatory and misinformed as the campaign itself.

It’s also possible that Dr. Paul Craig Roberts, the former Assistant Secretary of the Treasury in the Reagan Administration and associate editor of the Wall Street Journal, had some ties to the campaign in an effort to garner attention for his views and political stance. Again, however, all available information cannot conclusively attribute this to Dr. Roberts in any way.

What can be discerned from this campaign is how staggeringly malicious it could have been. The campaign presented similar indicators as witnessed in spam email runs and rapidly constructed websites surrounding the Boston Marathon bombing. As the bbc-news[.]co[.]uk domain appeared (without deep investigation) to be associated with BBC and its brand, it is reasonable to assume that many more individuals could have been driven to the site. Once at the site, individuals could have been served malicious content, redirected to other more dangerous fraudulent sites, or unknowingly enlisted for click fraud purposes, to name but a few.

This very well could have been a campaign of “test runs” to see what type of SEO-like keywords, stories, and links generated the most traffic to a seemingly reputable domain. Based on the success or failure of the test runs, the attacker could refactor or move forward, respectively, with a more malicious campaign. OpenDNS Security Labs will continue to monitor the domain to see if the campaign evolves or if the threat actor changes tactics entirely.

Appendix: List of the 58 referrers

  • http://bbc-news[.]co[.]uk/cicada-3301-set-to-deliver-new-clues-on-january-5th-2015/
  • http://bbc-news[.]co[.]uk/doubts-raised-over-authenticity-of-charlie-hebdo-footage/
  • http://cgi[.]webbox[.]com/wbwc/webbox[.]asp?sec=0&r=6563&act=rd&ms=416915022&cf=861503&ses=12534786&p=360628
  • http://forums[.]somethingawful[.]com/showthread[.]php?threadid=3569772&userid=0&perpage=40&pagenumber=106
  • http://gfy[.]com/fucking-around-and-program-discussion/1158787-suspicions-growing-french-shootings-false-flag-operation[.]html
  • http://hommaforum[.]org/index[.]php/topic,98014[.]2610[.]html
  • http://joemonster[.]org/filmy/66340/I_am_NOT_Charlie_Hebdo_Max_Kolonko_Mowi_Jak_Jest
  • http://l[.]facebook[.]com/l[.]php?u=http%3A%2F%2Fbbc-news[.]co[.]uk%2Fdoubts-raised-over-authenticity-of-charlie-hebdo-footage%2F&h=gAQHsqFlo&enc=AZOgdpWwQ-18pFpuLvMZr-vqwnGg203ywHZn8PAsOTgHJZD3x9Hqf8e5QLTxu8W1cl_IrxQb6eKgRnOo9gFa6liR-_SSe_niMp8bG0rvpcl6V11bAe_GO6VtES2YY20zjBBj1xkCq4dhj5qKMQhMpJrstiUzXHLPpoPnk3YW1gGMLw&s=1
  • http://l[.]facebook[.]com/l[.]php?u=http%3A%2F%2Fbbc-news[.]co[.]uk%2Fdoubts-raised-over-authenticity-of-charlie-hebdo-footage%2F&h=lAQEcMVsPAQEWcg7aRZNWHQFhPcCE2ppo5iEEzuLIRMdmQg&enc=AZMzFs_jZ-sANKBjyUU-FHqkswOdOOVuPzF8JR4ouG1dAB2YO7mDRyKBGv8N3-R6KAnNQGBoON2GadI94g6qcBdaScR2ZJVmR2MSAseIaOpuqaXx6BSuaqhRxcnsmx9wseabbtslJIg3eqGP09jKU-lf9AgAD8sfz-Q-FScq7QEHfw&s=1
  • http://l[.]facebook[.]com/l[.]php?u=http%3A%2F%2Fbbc-news[.]co[.]uk%2Fdoubts-raised-over-authenticity-of-charlie-hebdo-footage%2F&h=nAQFdN26J&enc=AZOyK7yuimhhgnacntBN0uGoT-mLXeBdgTlDRBqfWf63Q5EOrFfb4HpOnJW_bi5-KkEDN47DmozxZtLLTKZhImimddXOVcZDKVaMq9Q3bKvH2sUTiyGHpXWMdWo-VUZhnhGYXju1kiy7omQ321qIHOha&s=1
  • http://l[.]facebook[.]com/l[.]php?u=http%3A%2F%2Fbbc-news[.]co[.]uk%2Fdoubts-raised-over-authenticity-of-charlie-hebdo-footage&h=LAQFW4gN4&enc=AZMgNEm0JECnE0tWtCsSL8ZlQDH-y5nHSHi9JCwyqrZTKFUKQnJerTrkMdIZqXF_n-AfAHAPJE3-aE31pAv1FcMzA76lrskHZKrQmgdfhyqujenAM70iY0dgKPOmX5pcKwPGyHZ2_kioQ53krIeTNvSP&s=1
  • http://l[.]facebook[.]com/lsr[.]php?u=http%3A%2F%2Fbbc-news[.]co[.]uk%2F&ext=1421096817&hash=AcnXQcbjvxd6azFguwv3pU951XmW3MvMVRXF1FX3Nz8i6A
  • http://l[.]facebook[.]com/lsr[.]php?u=http%3A%2F%2Fbbc-news[.]co[.]uk%2Fdoubts-raised-over-authenticity-of-charlie-hebdo-footage%2F&ext=1421098908&hash=Acn3QcXquQVwedUQfdCnOs4ttCZu5nX9c3LmrpRbHgakpA
  • http://muckrack[.]com/link/ypx4o/
  • http://plus[.]url[.]google[.]com/url?sa=z&n=1421096109533&url=http%3A%2F%2Fbbc-news[.]co[.]uk%2Fdoubts-raised-over-authenticity-of-charlie-hebdo-footage%2F&usg=ZYcJs9rk9glioLUEkTWOfdzgAZM[.]
  • http://plus[.]url[.]google[.]com/url?sa=z&n=1421100283728&url=http%3A%2F%2Fbbc-news[.]co[.]uk%2Fdoubts-raised-over-authenticity-of-charlie-hebdo-footage%2F&usg=evpz4vi4HXuMeYUGnnjZYCaqa2w[.]
  • http://plus[.]url[.]google[.]com/url?sa=z&n=1421101229815&url=http%3A%2F%2Fbbc-news[.]co[.]uk%2Fdoubts-raised-over-authenticity-of-charlie-hebdo-footage%2F&usg=IXeoYEZiApBpJeChEHRX9deWuAg[.]
  • http://plus[.]url[.]google[.]com/url?sa=z&n=1421105776174&url=http%3A%2F%2Fbbc-news[.]co[.]uk%2Fdoubts-raised-over-authenticity-of-charlie-hebdo-footage%2F&usg=I40Bc7kbx9_sdrhutqyA9XvQK1U[.]
  • http://plus[.]url[.]google[.]com/url?sa=z&n=1421105833487&url=http%3A%2F%2Fbbc-news[.]co[.]uk%2Fdoubts-raised-over-authenticity-of-charlie-hebdo-footage%2F&usg=YLVakB3Jtt6Ws7FmXzMZ60rPEgU[.]
  • http://projectavalon[.]net/forum4/showthread[.]php?78924-BBC-Doubts-raised-over-authenticity-of-Charlie-Hebdo-footage[.]
  • http://removingtheshackles[.]blogspot[.]ca/
  • http://removingtheshackles[.]blogspot[.]co[.]uk/2015/01/the-bbc-did-not-admit-france-was-false[.]html
  • http://removingtheshackles[.]blogspot[.]com[.]au/
  • http://removingtheshackles[.]blogspot[.]com[.]au/2015/01/the-bbc-did-not-admit-france-was-false[.]html?m=1
  • http://removingtheshackles[.]blogspot[.]com[.]es/2015/01/the-bbc-did-not-admit-france-was-false[.]html
  • http://removingtheshackles[.]blogspot[.]com/
  • http://removingtheshackles[.]blogspot[.]com/2015/01/the-bbc-did-not-admit-france-was-false[.]html
  • http://removingtheshackles[.]blogspot[.]dk/2015/01/the-bbc-did-not-admit-france-was-false[.]html
  • http://t[.]co/bKzMDEOigv
  • http://uncovering-cicada[.]wikia[.]com/wiki/Fake_bbc_2015
  • http://webcache[.]googleusercontent[.]com/search?q=cache:9VzKB8vdlmcJ:bbc-news[.]co[.]uk/+&cd=1&hl=de&ct=clnk&client=safari
  • http://webcache[.]googleusercontent[.]com/search?q=cache:WfWMrmqES58J:bbc-news[.]co[.]uk/doubts-raised-over-authenticity-of-charlie-hebdo-footage/+&cd=1&hl=en&ct=clnk&gl=ca&client=firefox-a
  • http://webcache[.]googleusercontent[.]com/search?q=cache:WfWMrmqES58J:bbc-news[.]co[.]uk/doubts-raised-over-authenticity-of-charlie-hebdo-footage/+&cd=1&hl=en&ct=clnk&gl=uk&client=firefox-a
  • http://webcache[.]googleusercontent[.]com/search?q=cache:WfWMrmqES58J:bbc-news[.]co[.]uk/doubts-raised-over-authenticity-of-charlie-hebdo-footage/+&cd=1&hl=en&ct=clnk&gl=us
  • http://whatreallyhappened[.]com/
  • http://www[.]boards[.]ie/vbulletin/showthread[.]php?t=2057359580
  • http://www[.]coveritlive[.]com/index2[.]php/option=com_altcaster/task=viewaltcast/template=/altcast_code=c75389334d/width=534/height=700
  • http://www[.]facebook[.]com/l[.]php?u=http%3A%2F%2Fbbc-news[.]co[.]uk%2Fdoubts-raised-over-authenticity-of-charlie-hebdo-footage%2F&h=eAQHnbbPq
  • http://www[.]godlikeproductions[.]com/forum1/message2767345/pg1
  • http://www[.]google[.]ca/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CC0QFjAC&url=http%3A%2F%2Fbbc-news[.]co[.]uk%2Fdoubts-raised-over-authenticity-of-charlie-hebdo-footage%2F&ei=X3q0VMf5Loz7sASdmYDoBw&usg=AFQjCNFXTI_YlW7ay2z6ku6Bm9y_oEsSBA
  • http://www[.]google[.]ca/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CC0QFjAC&url=http%3A%2F%2Fbbc-news[.]co[.]uk%2Fdoubts-raised-over-authenticity-of-charlie-hebdo-footage%2F&ei=X3q0VMf5Loz7sASdmYDoBw&usg=AFQjCNFXTI_YlW7ay2z6ku6Bm9y_oEsSBA&bvm=bv[.]83339334,d[.]d24
  • http://www[.]google[.]com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=0CC8QFjAD&url=http%3A%2F%2Fbbc-news[.]co[.]uk%2Ftag%2Fcicada-3301-2015%2F&ei=Jlm0VNrEGcS_ggS82oPQCg&usg=AFQjCNExoKS8_kY9tYmjnnSu6Vqu3u1hlg&sig2=owJM6jFARhCCCL_QKJ-oJw&bvm=bv[.]83339334,d[.]eXY
  • http://www[.]google[.]de/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CCMQFjAA&url=http%3A%2F%2Fbbc-news[.]co[.]uk%2Fdoubts-raised-over-authenticity-of-charlie-hebdo-footage%2F&ei=jDi0VKzEJYHgywOhxIKIDg&usg=AFQjCNFXTI_YlW7ay2z6ku6Bm9y_oEsSBA
  • http://www[.]google[.]ie/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CCIQFjAA&url=http%3A%2F%2Fbbc-news[.]co[.]uk%2Fdoubts-raised-over-authenticity-of-charlie-hebdo-footage%2F&ei=0lm0VO38EYLC7gb9woGQAQ&usg=AFQjCNFXTI_YlW7ay2z6ku6Bm9y_oEsSBA&bvm=bv[.]83339334,d[.]ZGU
  • http://www[.]politics[.]ie/forum/northern-ireland/233813-belfast-muslim-s-praise-islamic-state-s-rule-mosul-6[.]html
  • http://www[.]reddit[.]com/
  • http://www[.]reddit[.]com/r/conspiracy/comments/2s3qbd/doubts_raised_over_authenticity_of_charlie_hebdo/
  • http://www[.]reddit[.]com/r/skeptic/comments/2s696v/charlie_hebdo_false_flag_nonsense_need_some_help/
  • http://www[.]removingtheshackles[.]blogspot[.]ca/
  • http://www[.]thejournal[.]ie/mobile-apps/
  • http://www[.]theoccidentalobserver[.]net/2015/01/alain-de-benoist-on-charlie-hebdo/
  • http://www[.]veteranstoday[.]com/2015/01/12/bbcpresident-of-france-false-flag-terrorism-in-paris/
  • http://www[.]zerohedge[.]com/news/2015-01-12/slain-paris-terrorist-claims-he-was-working-isis-posthumous-video-explains-reasons-a?page=1
  • https://www[.]facebook[.]com/
  • https://www[.]google[.]ca/
  • https://www[.]google[.]co[.]uk/
  • https://www[.]google[.]com/
  • https://www[.]google[.]it/

This post is categorized in: