Mass Migration of Users to Parler Prompts Concerns Over Security and Disinformation

Mass Migration of Users to Parler Prompts Concerns Over Security and Disinformation

November 19, 2020 • Charity Wright

During the weekend after Election Day in the United States, over 4 million social media users pivoted to conservative social platforms such as Parler, MeWe, Rumble, and Gab, citing concerns over censorship on “big tech” social media platforms. When President Trump accused several battleground states and Joe Biden’s campaign of “stealing” the election through alleged voter fraud, Trump’s supporters immediately took to social media to push the narrative “Stop The Steal” through millions of hashtags, posts, and groups. One Facebook group titled “Stop The Steal” had over 350,000 members before it was shut down for violating Facebook’s community standards for dangerous and violent rhetoric. In a statement to AP News, Facebook stated, “The group was organized around the delegitimization of the election process, and we saw worrying calls for violence from some members of the group.”

The Parler Phenomenon

Millions of users registered for accounts on Parler, a self-proclaimed free speech social media which has been adopted by American conservatives as an alternative to mainstream social media platforms. This mass migration and registration of users on the platform presents concerns over security and functionality, however. In early 2020, there were fewer than 2 million registered users, most of whom were inactive. In June 2020, millions more flocked to Parler after being directed to the platform by President Trump’s campaign manager Brad Parscales and other famous conservative pundits. Last week, prompted by outrage at censorship of baseless statements related to election fraud, conservatives migrated to alternative platforms in a mass exodus from what they believe is a left-leaning or liberal-owned mainstream media. Parler’s usership increased by 4 million over a few days, and the mobile app topped the Apple app store charts.

SFX File Loading Process

Figure 1: Parler web application view (Source: Parler)

Last week, the sudden influx of registrations and logins resulted in an increase in two-factor authentication (2FA) verification activity, as well as posting activity which caused mass disruption to both the Parler web application and mobile application. Users were unable to access their accounts due to the 2FA function being down. Parler’s website showed statements from internal customer support employees explaining that the sudden increase in traffic and activity resulted in “one thing after another breaking”, specifically citing that their auto-scaler crashed, resulting in 15 servers going down simultaneously.

‘Facebook for Nazis’

With a very small team of employees, and lack of infrastructure to support the new influx of users, Parler may be facing some serious security concerns and could be vulnerable to destructive attacks and espionage operations. On November 16, Recorded Future’s Insikt Group discovered that the URL “facebookfornazis[.]com” is actively redirecting to the official Parler website,

SFX File Loading Process

Figure 2: Results for redirect information from (Source:

The domain “facebookfornazis[.]com” is registered to an anonymous source through Domains by Proxy, and is hosted on Cloudflare infrastructure, further anonymizing who may have created this domain in what appears to be an effort to troll the Parler company and user base. The website is hosted by GoDaddy, but immediately redirects users to the Parler official website.

SFX File Loading Process

Figure 3: WHOIS record for facebookfornazis[.]com (Source: WHOIS)

A look at the underlying HTML of the “facebookfornazis” website reveals a message “YOU ARE A NAZI” in the title block of the website, as seen below:

SFX File Loading Process

Figure 4: “YOU ARE A NAZI” in the title block of the html code for facebookfornazis[.]com (Source:

Insikt Group reached out to Parler to disclose the finding, assuming that they did not create the redirect themselves. These types of DNS redirect attacks are common among low-level criminals who want to troll or dox a company or an individual. A redirect does not indicate that the target domain has been taken over by a threat actor.

In October 2020, Reuters and Graphika reported that Russian state-sponsored threat groups were conducting influence operations undercover in Parler and another platform called Gab, to target American conservatives with fake news and anti-Biden messaging. Now, with millions more conservatives registered on the platform, foreign adversaries and cybercriminals are likely to target user data such as phone numbers, names, email addresses, as well as user behavior and trends, especially while the young company is vulnerable to technical issues and outages.

Disinformation as a Disruptor

Governments and technologies around the world are struggling to control the spread of misinformation and disinformation on popular social media platforms, messenger platforms, and message boards. Disinformation, or fake news, is a tactic used to change the way people think, believe, and behave in society and how they interact with their governments. In 2016, Russia conducted a large-scale influence campaign to sow division, dissent, and discord among Americans leading up the presidential election. In the years leading up to the 2020 election, security professionals, research scientists, and government agencies have developed technologies to detect and stop the spread of false information throughout the internet in an effort to protect the electoral process and American democracy. Additionally, tremendous effort has been put into educating the public about these threats, who is conducting influence operations, and why they are trying to interfere with the U.S. election process.

Domestic Influence Operations

During the week of the election, President Trump’s social media accounts were flagged dozens of times for disputed and misleading information related to mail-in ballots, election fraud, and the results of the election.

SFX File Loading Process

Figure 5: President Trump’s Facebook account flagged for disputed information with links to contextual information (Source: Facebook)

One of the most prominent concerns about disinformation is the rate at which it spreads and who is amplifying the false information. In the past, foreign adversaries had to create the false narratives and propagate them among the target population. Russia, China, Iran, and other nations have all participated in disinformation campaigns targeting Americans over the past four years. This year, however, there has been a significant shift in tactics. The majority of false narratives are being created by U.S. citizens and politicians on alt-right and alt-left forums, and have been amplified from those sources. Foreign nations had minimal participation in this year’s election influence operations, except for instances of sharing the narratives and amplifying the false messages that were propagated within the United States.

Security Versus Censorship

In an attempt to maintain accountability for information integrity in their platforms, Facebook, Instagram, TikTok, and other large social media companies have established community guidelines and policies to fight the spread of false information within their platforms and maintain the integrity of free information. On Facebook and Instagram, disputed and false information is marked with a banner that identifies it as such. Clicking on “See Why” will open the supporting statements and evidence from trusted sources and independent fact-checkers to explain why it is marked as false information.

SFX File Loading Process

Figure 6: Instagram and Facebook false information banner.

Large social media platforms have well-established security teams to protect users from various threats including cybercrime, fraud, human trafficking, and disinformation campaigns. Smaller, fringe social media platforms are less likely to have the full information security operations that larger companies have, which may make their users more vulnerable to theft of personal information.

Although many users are switching to Parler with the belief that the platform has higher standards for privacy and security, Parler’s privacy policy states that they do collect information including name, email address, phone number, login credentials, Social Security numbers (for “Influencers”), posts, photos, videos, GIFs, comments, votes, and echoes. All of this information is claimed to be property of Parler once the user registers and shares this information. Additionally, Parler collects geolocation information, device information (IP address, device type, web browser type, operating system version, phone carrier and manufacturer, user agents, application installations, device identifiers, mobile advertising identifiers, and push notification tokens), user behavior (accounts followed, responses, times and dates of activity), and user history through cookies, pixels, and “third-party” data in the platform. Parler also discloses in its privacy policy that they share user information with third-party vendors, service providers, and have the right to “transfer” user data to any “service providers, advisors, potential transactional partners, or other third parties” as it relates to business deals. Essentially, as it states at the end of the policy document, Parler “makes no guarantees as to the security or privacy of your information.”


Recorded Future recommends a proactive approach to personal and organizational information security. Social media users should consider the privacy policies, user agreements, and community guidelines of free social media platforms they intend to use. Understanding the risk associated with personal information, how it will be used, and if it will be sold is vital. Additionally, weaknesses in security protocol, sharing of spam or phishing, doxxing, spread of disinformation and misinformation or other such attacks on social platforms should be reported to the company immediately. If the company refuses or is incapable of removing such threats, users should be wary of further participation and information sharing. Caution should be used when registering with personal information, especially Social Security numbers and mobile device geolocation, which could lead to identity theft and criminal targeting.

New call-to-action

Related Posts

Unemployment Fraud in the Criminal Underground

Unemployment Fraud in the Criminal Underground

January 14, 2021 • Insikt Group®

hbsptctaload(252628, '9b462390-28a9-431a-bc18-5130d670f5ef', {}); to download the complete...

Bulletproof Hosting Services Essential for Criminal Underground Security and Anonymity

Bulletproof Hosting Services Essential for Criminal Underground Security and Anonymity

January 12, 2021 • Insikt Group®

hbsptctaload(252628, '4ab5f87a-8992-42bc-a2b6-e0ab078541ef', {}); to download the complete...

Adversary Infrastructure Report 2020: A Defender’s View

Adversary Infrastructure Report 2020: A Defender’s View

January 7, 2021 • Insikt Group®

Click here to download the complete analysis as a PDF Recorded Future’s Insikt Group®...