In the social Internet, building a legion of interconnected bots -- all accessible from a single computer -- is quicker and easier than ever before.

James C. Foster, Founder & CEO, ZeroFOX

July 7, 2015

5 Min Read

The Internet economy is a fascinating development of our time -- whatever you’re looking for, there’s sure to be an e-commerce marketplace gushing with buyers and sellers. The Internet has done to markets what social networks have done to global interactions: created an open, democratized venue with outrageously low barriers to entry. If you have an Internet connection, like nearly half of the earth’s population, you can purchase a ShamWow, pay someone to stand in line for you, download Adobe Photoshop, or even buy a social botnet.

Anatomy of a social botnet
Cyber criminals use social media botnets to disseminate malicious links, collect intelligence on high profile targets, and spread influence. As opposed to traditional botnets, each social bot represents an automated social account rather than an infected computer. This means building a legion of interconnected bots is much quicker and easier than ever before, all accessible from a single computer.

The person commanding the botnet, also known as a bot herder, generally has two options for building their botnet. The first is fairly ad hoc, simply registering as many accounts as possible to a program that allows the herder to post via the accounts as if they were logged in. The second approach is to create the botnet via a registered network application: the attacker makes a phony app, links a legion of accounts, and changes the setting to allow the app to post on behalf of the associated accounts. Via the app, the herder then has programmatic access to the full army of profiles. This is essentially how ISIS built their Dawn of Glad Tidings application, which acts as a centralized hub that posts en masse on behalf of all its users.

Types of social botnet attacks
With the rise of social media, a social botnet can be used to amplify the scope of an attack or automate the dissemination of malicious links. A few types of common attacks include:

Hashtag hijacking. Hashtag hijacking involves leveraging a hashtag to target a certain organization or group. By appropriating organization-specific hashtags, bots distribute spam or malicious links that subsequently appear in organization’s circles and news feeds, effectively focusing the attack on that group.
Trend-jacking/watering hole. Trend-jacking is similar to hashtag hijacking in that bots use the hashtags to direct their attack. Attackers pick the top trends of the day to disseminate the attack to as broad an audience as possible. In doing so, the attacker makes a “social watering hole” around the trend by planting the payload where the potential victims are interacting; think of a crocodile at the edge of a watering hole, letting the prey come to him.
Spray and pray. Spray and pray involves posting as many links as possible, expecting to get only a click or two on each. These bots will often still intersperse odd or programmatically generated text-based posts, simply to fly under the social network’s Terms of Service radar. This tactic often leverages clickbait and is coupled with one of the above strategies.
Retweet storm. Most social networks have an eye peeled for malicious activity. One clear indicator of malicious botnet activity is a post that is instantly reposted or retweeted by thousands of other bot accounts. The original posting account is generally flagged and banned, but the reposts and retweets remain. The parent account, known as the martyr bot, sacrifices itself to spread the attack.
Click/Like Farming. Bots are ideal for inflating followers: a seedy marketing strategy designed to make a page or conversation look more popular.

Monetizing a social botnet
Malicious botnets exist on a spectrum of maliciousness but at their core, all have one of a handful of motivations. On the more benign end of the spectrum is shady marketing. Botnets are leveraged to increase followers or disseminate links and ads. Paying a bot herder to repost or favorite an ad on social media can go a long way in reaching the target audience.

Most botnets fall between the middle and top of the maliciousness spectrum. In the middle of the spectrum are the spam bots: fairly benign from a cyberattack standpoint but still a massive organizational risk if they hijack a company hashtag or target employees and customers. These bots post links to fake Viagra websites, pornography, or too-good-to-be true diet pills, which can do serious damage to brand reputation if they go unchecked.

On the outright malicious top-end of the spectrum are phishing and malware bot campaigns. Bot herders leverage botnets to distribute these links across social media. The lucrative part of the attack involves selling the phished information or the myriad of ways malware is leveraged to extort money, be it data theft, ransomware, blackmail, or banking Trojans.

Unlike traditional botnets, social botnets are not as readily leveraged in DDoS attacks. Bots can repost content, but can’t make requests on an IP address. However, social botnets are leveraged as Command & Control devices to coordinate DDoS attacks by re-posting instructions, including attack date/time, port numbers, domains, and target IPs.

Welcome to the botnet store
In cybercriminal marketplaces and hacker hubs, one of the most traded and highest selling goods are the credentials for a social botnet. Not only do bot herders outright sell their social botnets, but they also rent their botnets. People will pay herders to access their botnets for a discrete amount of time or to control a certain number of bots. Consider a bot herder like the landlord of a massive apartment complex. The highest bidder gets access for a specified amount of time before the herder changes tenants.

An ancient Roman writer, Publilius Syrus, described the foundation of economics succinctly: “Everything is worth what the buyer will pay for it.” For the buyer, social botnets provide a tangible, lucrative value. For the bot herders, building and maintaining their botnets is a full time business.

Luckily for the herders, business is booming.

About the Author(s)

James C. Foster

Founder & CEO, ZeroFOX

James C. Foster is an industry veteran and a world-renowned thought leader on cybersecurity. He's published over a dozen books, holds patents, has spoken on Capitol Hill about the increase in international cyber threats, and is a recognized keynote speaker. In 2006, Foster founded the cybersecurity firm, Ciphent, which was acquired by Accuvant. Additionally, Foster has worked with several other high-growth cybersecurity organizations such as Booz Allen and Hamilton and Computer Sciences Corporation, and executing on exit strategies for Foundstone (acquired by McAfee for $86M), Guardent (acquired by Verisign $135M), and Information Security Magazine (acquired by Tech Target Media for an unpublicized amount). Foster started his career as a civilian in the United States Navy in Annapolis, Maryland. In 2005, Foster became a Fellow from the Wharton School of Business at the University of Pennsylvania and received his Bachelor of Science in Software Engineering from Capitol College.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights