Lisbon, May 24, 2026 (Lusa) – Lusa has detected a network comprising nearly 2,200 misleading websites targeting Portugal and over 90 other countries, primarily in Africa, impersonating governments, companies, and organisations such as the WHO (World Health Organisation) and UNICEF (United Nations International Children's Emergency Fund).
In total, 2,197 addresses were found and analysed, of which 790 were inactive: around 430 due to technical errors and over 360 because they had been removed.
The misleading websites were created by at least 68 profiles on Blogger, a Google platform for creating and publishing blogs and web pages, and by five accounts on GitHub, a Microsoft source code hosting platform, but whose fake pages include source code related to Blogger.
Of the 68 profiles identified on Blogger, 55 were active and public, some since 2016; five were active but private; and eight appear to have been deleted by the platform, though archived records were found.
According to data collected and archived by Lusa over several weeks, the network mainly uses fake job offers (around 480 pages), mobile data offers (over 300), and alleged subsidies or other financial support (around 140 pages).
Fake pages on other topics were also identified, such as scholarships, answers to school exams, visa applications, offers for computers and mobile phones, and adult content, usually shared via Facebook, Meta’s social network service, and WhatsApp, Meta’s instant messaging app.
Among the content identified are also fake petitions attributed to Change.org, an online platform for public petitions, mainly concerning Nigerian politics and the conflict in Palestine.
Some of these pages claimed that Bola Tinubu, the president of Nigeria and winner of the 2023 elections, would be arrested once the petition reached 500,000 signatures, allowing Peter Obi, the candidate who came third, to become President.
Another, aimed at Kenya, called for an end to bad governance and for the mobilisation of young people.
One of the websites analysed posed as a data-correction portal for the National Identity Management Commission (NIMC), the body responsible for Nigeria’s national identification system, promising to correct details such as name, address, telephone number, gender, and date of birth.
After entering this personal information, the page indicated that the request had been received and that to be approved, the user would have to share the link with five groups or 15 friends on WhatsApp.
At the end of the registration process, which Lusa tested on dozens of pages, virtually all of them were redirected to online shops, websites purportedly for installing a web browser, subscriptions to paid services with telecoms operators, or other suspicious and potentially malicious destinations, some of which antivirus software blocked.
Most of the fake pages detected targeted African countries, with Nigeria having the most registrations, at around 170, followed by South Africa, with nearly 70, but there were also cases in Asia, South America and Europe.
Among Portuguese-speaking countries, Angola has around 20 records, Mozambique 14, Guinea-Bissau six and Portugal three.
The pages pose as public bodies, international organisations, companies and public figures.
The network also used the names of well-known figures, such as the Nigerian singer ‘Davido’ and the businessman Obi Cubana, and references to electoral commissions in 27 countries, including Portugal’s National Electoral Commission, a topic Lusa examined in a fact-check.
Not all content containing references to Portugal was intended for a Portuguese audience.
The investigation found pages using the names of Portuguese companies, such as Ferpinta and Mota-Engil, in fake recruitment schemes targeting Angola.
Analysis of the network and dozens of pages points to an apparent phishing scheme, the collection or theft of personal data through fake pages, or another fraudulent scheme to generate revenue through advertising.
At Lusa’s request, the National Cybersecurity Centre (CNCS) analysed a preliminary survey Lusa carried out, and concluded that the pages display cross-cutting technical patterns pointing to a shared infrastructure across several fraudulent websites.
Despite the danger of phishing, exacerbated by the use of redirect links that can be used for various fraudulent purposes, the CNCS’s analysis concluded that the personal data entered into the forms available on the pages does not appear to be sent to fraudsters.
According to the report submitted, which focused on Portugal’s Commission’s webpages, the scheme involves collecting personal data without transmitting it to the operator, viral sharing through WhatsApp, and redirecting users to advertising pages, all while using the image of official bodies to bolster credibility.
The evidence gathered points to an operation primarily aimed at viral propagation, traffic generation and potential advertising monetisation, generated through a social engineering campaign with victim-assisted propagation, the CNCS noted.
The report also noted the reuse of code blocks across various pages, similarities in structure and obfuscation, elements that point to a common technical foundation.
For the CNCS, the case is consistent with a coordinated or semi-structured campaign.
Lusa found contacts associated with some of the profiles analysed, one of which bore the real identity of a young Nigerian man, to whom it sent requests for clarification through email and WhatsApp, but has not yet received a response.
A response was also sought from Google, the owner of Blogger, to whom the full list of identified profiles was sent, including those set to private but with information accessible through archive services such as the digital archive Wayback Machine. However, no replies have been received, nor have the profiles been removed.
This investigation, published on Sunday in partnership with Portugal’s state broadcaster, RTP’s programme 'O segredo do Algoritmo' (The Secret of the Algorithm), has resulted in a database that will be made available to international fact-checking organisations to enable further investigations. LYGA/MYAL // ADB.
Lusa
