A recently developed methodology for identifying Twitter bot accounts in large quantities turned up a cryptocurrency scam botnet operation found to leverage at least 15,000 bots to submit bogus tweets and likes.
Discovered in late May 2018 by researchers at Duo Security's Duo Labs division, the scam utilizes automated accounts that spoof genuine Twitter accounts and then respond to their actual posts with what looks like legitimate replies. These replies contain a link to a bogus cryptocurrency giveaway page that attempts to trick prospective victims into giving away their money.
Today, Duo Security released a report titled "Don't @ Me," which details the botnet and the tactics the researchers used to uncover it. According to authors Olabode Anise, data scientist, and Jordan Wright, principle R&D engineer, the malicious operation relies on a "three-tiered botnet structure" composed of:
According to Duo, the spoof accounts created by the publishing bots look like the real thing because they copy the name and profile picture from the account they are impersonating. However, their screen names appear to be randomly generated. Two examples of companies whose Twitter accounts were spoofed are SONM, a decentralized fog computing platform, and Stakenet, a "proof-of-stake" blockchain for cryptocurrencies.
One example of an automated tweet reply generated by the bots include a message announcing: "To celebrate 10,000,000$ worth of ETH transactions We are giving back to the community with 10 000 ETH giveaway". The same post then directed readers to send 0.5-10 Etherium coins for address verification reasons, promising to send them back anywhere from five to 100 ETH in return.
"Enter NOW ! Don't miss it !" said another Twitter reply, hoping to entice victims into action.
The botnet reportedly has developed numerous tricks to evade detection and appear credible, including using unicode characters instead of ASCII, adding white spaces between words or characters, spoofing celebrity accounts, employing typosquatting-type techniques when creating screen names, and slightly editing profile pictures to thwart image detection.
In addition to the Twitter accounts they were actually spoofing, many of the Twitter content bots were also observed following the same seemingly random accounts -- accounts the research report refers to as hub accounts. "It's unclear how these hub accounts directly contribute to the botnet operation, other than being a set of centralized accounts many of the bots follow," the report states. "It's possible that these accounts aren't affiliated with the botnet and are randomly chosen accounts which the bots follow in an effort to appear legitimate."
Finally, to make make the cryptocurrency scam appear legitimate, the campaign also uses amplification bots whose purpose is to generate large numbers of likes for bot-generate tweets, thereby increasing their popularity.
Duo Labs conducted the research study by first collecting a data set of roughly 88 million Twitter profiles, using information available via the Twitter API -- including screen names, tweet counts, follower/following counts, avatars and descriptions -- as well as actual tweet content posted by these accounts and social network connections. Then the researchers applied "practical data science techniques" in order to "create a classifier that is effective at finding automated twitter accounts," the report explains.
Duo's methodology incorporates 20 unique account characteristics into a machine learning model in order to differentiate a genuine Twitter account from a bot-generated one -- including time between tweets and average hours per day that an account is active.
Anise and Wright will present their research this coming Wednesday at the Black Hat conference in Las Vegas, after which time they will make their open-source tools and techniques available on Github for other researchers.