Goals of Cyber Actors 01

Barbie Hoax in the News

On August 1, 2023, a group called the Barbie Liberation Organization posted a hoax article and pair of YouTube videos suggesting that Mattel would move to a compostable alternative to plastic for its dolls. As part of this, they used a copycat website spoofing the Mattel corporate website. This gained traction in several news outlets until Mattel came out to say this was a hoax. Darryl Hannah filmed one of the videos and posted it on her Instagram.

For those interested in following the news story, see these links from Outside magazine, the New York Times, Business Insider, and Washington Times. Read on to get a glimpse into hactivism, the tools the group used in this hoax, and what clues were available to help you tell this was a satire.

Hactivism (or Hacktivism)

Cyber actors who use hacking techniques to achieve political or social change goals are considered hacktivists. Just like there are a range of ethics among hackers, hacktivists can use their skills in beneficial ways like setting up a censorship-resistant peer-to-peer communications (FreeNet) , be deceptive like this Barbie hoax, or truly malicious and destructive.

I personally like the look of the word without the “k”, but this blog software seems to prefer using the k in the word.

How Copycat Websites Fool Us

Parts of a URL – Mattel Edition

The address of a webpage, its URL, can easily get into a mindless drone of gobbledygook and symbols. Cyber actors can play on that to offer up website names (domains) that LOOK like they should be legitimate, but really are not. The press release website that the hoax group used follows this tactic.

Here’s a comparison of the fake site (above) and Mattel’s real news page (below) with a list explaining the parts under it. They look very similar, but the fake site is a completely different domain – labelled 3 with a rectangle around it and arrows.

The important thing to know is between the first // and the next /, the only punctuation that matters is the period. “Mattel-corporate dot com” is completely different from “mattel dot com”.

1. The Protocol – Usually http and https (secure), thie protocol starts a URL and includes a colon and two slashes (://) to divide it from the rest of the URL. This tells your browser how to interpret the code it finds on the landing page.
2. Subdomains – Many sites won’t have subdomains. Some like Mattel do (see below). These are usually different web applications or different sections of an organization. These are separated by periods.
3. The domain – This is the last “blah dot blah” before the next slash. There could also be a two-character country code, but we in the U.S. won’t see them unless it’s pointing to another country (.co.uk)
4. The path – Just like folders in your mailbox or documents, websites can have multiple pages within it. The path works for webpages in the same way.
5. End of the path – For this example, I wanted to point out that the cyber actors styled the last path of the path the same way that the true Mattel webpage does, using dashes. Fun fact, URLs hate spaces. If you ever see a URL with a bunch of “%20” phrases, the person who named that webpage used spaces.

Subdomains – Mattel Edition

Here’s a diagram that hopefully shows subdomains better. Mattel has its main public website (www.mattel.com) , a shopping site (shop.mattel.com), and its business to business website (corporate.mattel.com) . Mattel chose to separate these as “subdomains”, all routed through the main “mattel . com”.

For the hoax, the BLO created its lookalike based on the real corporate “press release” site.

You Said There Were Clues

Yes! This all goes to looking at the sources.

First is the spoof website’s domain name. Domain names cost money to retain. The registrar companies base their rates on how much traffic goes through, if other people ask if the site’s available, and so on. Plus, there are dozens of “top level domains” – the .com, .org, .edu, .gov, .net of old are now joined with .blog, .shop, .xyz — all sorts of things. Not to mention countries like Montenegro (.me), Libya (.ly), and Tonga (.to) farming out their domain name registries because their two-letter code happens to match common English words or suffixes.

A company may buy up common, similar, or cheap domain names to prevent someone else from using the name, they’re likely not going to buy a whole bunch of them. And anything mashing their brand name with other words is right out. Thus, it’s highly suspect that Mattel would have bought “mattel dash corporate dot com”. We can check! Here is the report from the ICANN WHOIS register, which is great for testing most .com domains.

1. The creation date was July 21, 2023 – 11 days before the posting.
   Definitely makes this suspicious.
2. The name servers are in different countries: Norway, India, Faroa Islands (Denmark).
   Not exactly the countries you think of for Mattel.
3. (Not shown) – You could then look up mattel.com ‘s WHOIS info. The real Mattel has its contact info public and is through MarkMonitor. The hoax site is private and through Tucows. (The BLO is through GoDaddy, so +10 points for using a different service than “home.”)

Often, the registrant info is hidden for privacy, particularly in new registrations. If one doesn’t have a PO Box set up, then having a home address showing is a bit too transparent. This one listed a city of Charlestown, KN, which I had to look up – the federation of Saint Kitts and Nevis within the Leeward Islands in the West Indies. Again, not the obvious choice for a US-based corporation.

The videos also held a clue, or rather, the account that posted them on YouTube. The YouTube account @MyCeliaBarbie was created on July 23, 2023 – two days after the domain was registered. and 8 days before they launched the hoax.