Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/23/2018
04:38 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Battling Bots: How to Find Fake Twitter Followers

Duo researchers explain the approach they used to detect automated Twitter profiles and uncover a botnet.

The discovery of a massive botnet can start with finding a few fake Twitter followers, report Duo researchers investigating the process of identifying and analyzing automated accounts.

Earlier this summer, Duo's Olabode Anise, data scientist, and Jordan Wright, principal research and development engineer, wrapped up a project investigating how they could detect Twitter bot characteristics. The goal was to create a means of differentiating automated and legitimate accounts, and they built a classifier tool to distinguish bots based on a pre-defined set of traits.

Their research dug into one of the largest random datasets of public Twitter accounts to date, they report. As part of their project, Wright and Anise identified three specific types of bots serving different purposes. "Content-generating" bots actively create new content (spam, malicious link), "amplification" bots like and retweet content to boost a tweet's popularity, and "fake followers" are a type of amplification bot intended to inflate users' popularity.

The two today published a new report digging into the latter. Their analysis covers how fake followers operate, how they discovered an initial list of fake followers, and how they leveraged that list to unearth a botnet made up of at least 12,000 Twitter accounts.

"We understand the fake followers are just as important to the social ecosystem," says Anise. "They artificially inflate the ratio of followers to followees."

On one hand, fake followers can be used to harass, or compromise the credibility of, legitimate accounts. On the other, they can boost the popularity of fake accounts, making them appear more credible than they are. The researchers gave a talk at Black Hat USA discussing how a botnet spoofed legitimate accounts to evade detection and spread a cryptocurrency scam.

Spot the Bots

It's tough to tell when a follower is fake, and researchers explain more information is better when analyzing accounts. In general, fake followers are hard to detect on an individual level because they don't show much activity – aside from, of course, following other accounts.

But a lack of activity doesn't mean an account is malicious. Some people create Twitter accounts simply to follow other users and stay current on the news, Anise explains.

So instead of hunting fake followers on an individual basis, the researchers decided to consider their full social networks. Fake followers are typically purchased and used as groups; as a result, they tend to share characteristics because they are developed by the same operator.

But which traits set fake followers apart from real ones? After Anise and Wright wrapped their initial pool of research, the botnet they were watching began to use fake followers to trick people into thinking spoofed Twitter accounts were real. They took a closer look at the followers of a fake Elon Musk Twitter profile and explored their similarities.

"One thing that we saw was, [they were] pretty easy to identify," says Anise of the fake followers. "These bots weren't really trying to hide … if you notice patterns or have a similar account, you can use it to pivot and find other bot accounts."

Timing is one key factor. If a large group of accounts suddenly follows the same profile, for example, there's a higher likelihood they're fraudulent.

Accounts following the fake Elon Musk profile had a proverb or fortune in their profile description – a quick and easy means of bypassing spam detection. Profile completion is an easy way to determine the quality of a bot; if an account has a profile, it appears to be real. However, creating unique profiles is harder than generating random usernames.

With this in mind, the researchers could separate these bots from legitimate followers. Because they were studying the fake accounts as a group, they could observe whether similar accounts had similar behaviors. Once they found a small group of fake followers, they could branch outside that network and look for other fake accounts with similar traits.

How to Crawl for Followers

Anise and Wright uncovered the botnet with a "one-degree crawl" of a single fake follower. They found a fake account and looked at their social network, as well as the social network for each account the fake follower was following. They then applied a script to search the social network for a specific account. The result is a web of fake and legitimate profiles, connecting which fake accounts are following legitimate ones.

While it's a good start, not every bot in a botnet will follow the same people, meaning the researchers may not have caught entire groups of fake followers. To find new ones, Anise explains, they can use a bot found during their initial crawl and search its network for new fake followers. After doing this, they uncovered an additional 1,200 bots.

The two point out that large groups of fake followers have patterns that are easier to recognize; smaller groups, in contrast, may be more subtle. To find smaller groups of fake accounts, the researchers first determined when multiple accounts were created on the same day and consecutively followed a target account.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 4   >   >>
jacksonseo
50%
50%
jacksonseo,
User Rank: Apprentice
5/18/2020 | 3:43:54 AM
jackso seo
Through this post, I realize that your great information in playing with all the pieces was extremely useful. I advise this is the primary spot where I discover issues I've been scanning for. You have a shrewd yet alluring method of composing. 
essaysnassignments
50%
50%
essaysnassignments,
User Rank: Apprentice
5/16/2020 | 7:58:41 PM
Re: sbcglobal email login
This is highly informatics, crisp and clear. I think that everything has been described in systematic manner so that reader could get maximum information and learn many things.

 
lunaseo
50%
50%
lunaseo,
User Rank: Apprentice
5/12/2020 | 9:31:21 AM
sbcglobal email login
Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. 
adammitz123
50%
50%
adammitz123,
User Rank: Apprentice
12/16/2019 | 3:18:18 AM
Great Writeup!
Great stuff!

I'm taking a swing at tackling twitter bots myself and this one is a nice read to get you started.

 

-Adam

[email protected]
KenT806
50%
50%
KenT806,
User Rank: Apprentice
12/5/2019 | 10:21:58 AM
Thanks for the Post
There is obviously a lot to know about this. I think you made some good points.  Rent Singapore
KenT806
50%
50%
KenT806,
User Rank: Apprentice
12/4/2019 | 2:39:16 AM
Thanks for the info
KenT806
50%
50%
KenT806,
User Rank: Apprentice
12/3/2019 | 2:28:07 AM
Thanks for Sharing
This is really very nice post you shared, i like the post, thanks for sharing .. Rent Singapore
johnsoneater97
50%
50%
johnsoneater97,
User Rank: Apprentice
11/25/2019 | 12:17:03 AM
Re: Modern Warfare Cheat
https://dqfansurveyyy.xyz/

https://icloudlogin.co/

https://tcswebmail.me/
KenT806
50%
50%
KenT806,
User Rank: Apprentice
11/17/2019 | 3:27:52 AM
Sinda
I am always searching online for articles that can help me. There is obviously a lot to know about this. I think you made some good points in Features also. Keep working, great job!

 
jeenajohn
50%
50%
jeenajohn,
User Rank: Apprentice
11/7/2019 | 5:49:09 AM
Cole
Took me time to understand all of the comments, but I seriously enjoyed the write-up. It proved being really helpful to me and Im positive to all of the commenters right here! Its constantly nice when you can not only be informed, but also entertained! I am certain you had enjoyable writing this write-up.  damen armband silber
Page 1 / 4   >   >>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13768
PUBLISHED: 2020-06-04
In MiniShare before 1.4.2, there is a stack-based buffer overflow via an HTTP PUT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19861, CVE-2018-19862, and CVE-2019-17601. NOTE: this product is discontinued.
CVE-2020-13849
PUBLISHED: 2020-06-04
The MQTT protocol 3.1.1 requires a server to set a timeout value of 1.5 times the Keep-Alive value specified by a client, which allows remote attackers to cause a denial of service (loss of the ability to establish new connections), as demonstrated by SlowITe.
CVE-2020-13848
PUBLISHED: 2020-06-04
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
CVE-2020-11682
PUBLISHED: 2020-06-04
Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request ...
CVE-2020-12847
PUBLISHED: 2020-06-04
Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console� that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the applicat...