A research team that is part of Duo Security, examined 88 million Twitter accounts from May until July, and uncovered a huge botnet that mimics legitimate Twitter accounts and spreads a “cryptocurrency giveaway” scam.
The team used machine learning to identify bots on the social media platform and found a single network comprised of over 15,000 bots encapsulated within a three-tiered structure. The network spread the fake giveaway – and more importantly, it evolved over time to avoid detection.
The team described the botnet’s methods in a paper presented at the 2018 Black Hat cybersecurity event on Wednesday.
- Creates a fake account that is usually a copycat account for a genuine crypto-related account – the name and profile picture copies the original
- The bots reply to tweets posted by the legitimate account holder; the reply would contain a link that enticed readers to the scam
- The bot employed “amplification bots” (other fake accounts they used to generate “likes” in order to “artificially inflate the tweet’s popularity [and] make the cryptocurrency scam appear legitimate.”
The Duo Security paper states: “[Searching for connected bots] resulted in a 3 tiered botnet structure consisting of the scam publishing bots, the hub accounts (if any) the bots were following, and the amplification bots that like each created tweet. The mapping shows that the amplification bots like tweets from both clusters, binding them together.”
Fortunately, the Duo team’s discovery enabled them to connect the bots in a way “that can result in the unraveling of the entire botnet.”
Despite Twitter’s efforts to cut down on fake accounts and halt scams (including cryptocurrency scams), the team concludes in its paper that their research shows that botnets not only continue to be active on Twitter, but that bots and botnets can be discovered by “straightforward analysis.”
“We don’t consider the problem solved,” the researchers said, and outlined plans to open-source the techniques described in the research paper. Open-sourcing could aid in the development of ways to quickly identify fake accounts and malicious bots, to “keep Twitter and other social networks a place for healthy online discussion and community.”