the home of online investigations

Russian Meddling in North Carolina Politics, or Cialis Spam?

March 12, 2018

By Aric Toler

Translations: Русский

North Carolina congressional candidate Linda Coleman made national headlines last week when her campaign discovered that an old domain used for a previous election — LindaForNC.com — was hijacked by a Russian. Coleman saw political motives behind the incident, calling the “tampering” an “underhanded and deceptive” move. A number of local and national news articles about the incident brought up the ongoing “Russiagate” scandal, regarding Russian involvement in the 2016 U.S. presidential campaign, along with how the so-called “St. Petersburg Troll Factory” (Internet Research Agency) organized political rallies in Charlotte, North Carolina in 2016.

However, even a cursory look at the materials surrounding this “Russian meddling” reveals that Coleman’s site was scooped up by a domain squatter who sells erectile dysfunction pills online, and there is no reason to believe that there was any political motive to the changes to Coleman’s old campaign site.

LindaForNC.com

What can comparing older, archived versions of Linda Coleman’s campaign site with the current, hijacked version tell us about how the site was rebuilt to resemble its older form?

Linda Coleman’s election site before 2017 was for her bid to become Lieutenant Governor of North Carolina, which she lost to Republican Dan Forest. By accessing the Internet Archive’s Wayback Machine (you can find more information on how to find, retrieve, and save archived materials in our guide here), we can view a timeline of the site “LindaForNC.com.” In November 2016, the site had no irregularities: (click image for full size)

LindaForNC.com in November 2016 (archive)

However, in January 2017, a few things changed. For one, the font and general appearance of the text is different, including with alternating bold and regular fonts with some text. Additionally, in the hijacked version of the site, the Facebook and Twitter share buttons are gone, the “Issues” segment has been removed, the image showing Coleman’s signature was replaced with ‘Linda Coleman’ in a large font, and–most importantly– a short phrase in French was added: Acheter cialis pas cher en pharmacie (“Buy cheap cialis at pharmacy”) with “cialis pas cher” hyperlinked to the site dimque.com (more on this site will be detailed later in this article). This phrase in French is written like a shopping list (“Buy tomatoes at supermarket, Buy shoes at mall, Buy cheap Cialis at pharmacy…”), but is still grammatically sound.

In the screenshot below, the key addition is highlighted.

LindaForNC.com in January 2018 (archive)

To this day, LindaForNC.com appears as it does in the screenshot above.

By looking at the code on the hijacked version of the site, it’s evident how the site was rebuilt to mimic the older version: it pulled from the Internet Archive’s Wayback machine. The opening lines of code in the LindaForNC.com site are from this service, with an identical comment (on lines 12 on the hijacked site, line 14 in the archived version) referencing the Wayback Machine. (click image for full size)

The fact that the current LindaForNC.com does not have the “Issues” segment on the bottom of the page tells us that the page’s hijacker used an earlier version of the site before this was added (e.g. the July 2016 copy of the site does not have “Issues”). The person who hijacked LindaForNC.com did not painstakingly rebuild the old site to make it appear authentic–he or she just copied the Internet Archive Wayback Machine’s older snapshot of the site and added one line of text advertising a site that sells erectile dysfunction (ED) pills, including Cialis and Viagra.

Dimque

As clear from the Cialis advertisement added to Linda Coleman’s “revamped” campaign site, the site hijacker is interested in selling ED pills online. The hyperlink added to LindaForNC.com leads to a French-language site (dimque.com) selling three types of ED pills–Viagra, Cialis, and Levitra. The site’s WHOIS information is masked.  It should be noted that the header for the site in Google search results is the same text that was added to LindaForNC.com, with the word “generique” (generic) added: Acheter cialis generique pas cher en pharmacie.

Linda Coleman’s old campaign site is not the first American website to be hijacked to include a discrete advertisement for Dimque.com, though it is unclear if this was done to game search engine optimization algorithms or to trick people to click the hyperlink. A site created by the West Virginia Department of Education to detail educational standards contains a link to Dimque towards the bottom of the site:

Another inactive site was somehow hijacked to add a Dimque advertisement: ArtworkDownUnder.com, which sells Australian art.

How these sites were hijacked or had their domains swiped is not immediately clear, but we can see that there is no political content in any of these sites, and definitely no reason to suspect that Dimque.com has anything to do with the Petersburg Troll Factory or Russian active measures–unless the Kremlin has taken a sudden interest in gaming SEO algorithms to sell ED pills on a shady French site.

Who is Ivan Gusev?

The hijacking of an old, inactive campaign website would never generate national headlines if it weren’t for one twist: the WHOIS information for the hijacked LindaForNC.com points to “Ivan Gusev,” apparently living at Myasnitskaya 15 in Moscow.

This large Moscow building is home to a number of shops and offices, along with up-scale apartments. A real estate agent with the same last name — Petr Gusev — publicly listed an apartment at this same address, but it is unclear if this is just a coincidence or if there is a connection with “Ivan Gusev”.

Rather than the address and relatively common name, it is more useful to track down “Ivan Gusev” using the email address listed with the domain registration: gusev.ivanovich@yahoo.com. Searching this address reveals other sites that have been registered to this address. Notably, both the address and phone number in this listing (+7.4296379812 and Pushkina 5 in Moscow) differ from the information in the LindaForNC WHOIS information.

There is no Pushkina 5 in Moscow. This street name is quite common in Russia, and would be equivalent of assuming there is a Main Street or Lincoln Avenue in a major American city — “Gusev” likely put in this address at random. Also, the postal index code of 120000 and telephone code “429” do not exist in Russia, with the Moscow codes instead being 495, 498, and 499. In short, “Ivan Gusev” sloppily aped registration information for these two sites, though the postal and telephone codes given during registration for LindaForNC.com are correct for Moscow.

The other two sites registered by the same email address with LindaForNC.com either do not work (grandportfolio.com) or use a generic WordPress blog (herbanutrition.com) with no political content.

While “Ivan Gusev” has registered a few generic sites with no political content, his true passion is clear with a bit more searching: selling erectile dysfunction pills. The Italian site “MedicoCompetente.it” has a message board with a user named “Gusev Ivanovich” using the same email address as in the LindaForNC.com WHOIS registration. The “Provinicia” and “Professione” chosen by Gusev are the default options during site registration.

The site given in the “Gusev” profile is clearly another ED pill vendor, but this time in Italian, rather than French.

The U.K. phone number listed on top of the site leads us to another ED pill website–this time in Spanish, and an alternate American phone number on the site is used by a shady online pharmacy site. Nowhere do these sites lead to any Russian site or individual, outside of “Ivan Gusev.”

Conclusion

Ten minutes of basic research into the “Russian meddling” of Linda Coleman’s inactive electoral campaign site reveals that there is no political or international plot to undermine American democracy. Instead, it is painfully obvious that a shady Viagra peddler domain squatted and then copy/pasted a saved copy of the the Internet Archive’s version of LindaForNC.com, with the addition of a link to a French online pharmacy site. While it is understandable that “Russian meddling in NC elections?” is a far catchier headline than “NC Election Site Hijacked by Cialis Salesmen,” the fact that a number of regional (Raleigh’s News & Observer) and international (Associated Press, The Week) news outlets uncritically reported how a “Russian” scooped up the Congressional candidate’s domain without carrying out extremely basic digital research and verification reveals a fundamental issue with the low threshold of verification in reporting on “Russian meddling” in American media.

Aric Toler

Aric Toler has written with Bellingcat since 2015 and currently leads the Eurasia/Eastern Europe team. Along with his research into topics in the former Soviet Union, he organizes and leads Bellingcat's Russian-language workshops for journalists and researchers. He graduated with an MA in Slavic Languages & Literatures from the University of Kansas in 2013, focusing on Russian literature and intellectual history. After graduation, he worked for two years as an intelligence specialist in the private sector. If you have any questions, or have a story idea related to eastern Europe or Eurasia, you can contact him at arictoler@bellingcat.com

Join the Bellingcat Mailing List:

Enter your email address to receive a weekly digest of Bellingcat posts, links to open source research articles, and more.

One Comment

  1. Mad Dog

    Major problem with this kind of stuff is not enough investigation is done and then when the mistake is found out, the cries of Fake News multiply. One would expect better from major news outlets.

    Reply

Leave a Reply

  • (will not be published)