Application security, Incident Response, Malware, Network Security, TDR, Threat Management

Twitter accounts created to spread spam, malware are easy to create and sell

A handful of researchers have published a study (PDF) exploring the seedy, underground world of Twitter spam.

The study was conducted over a 10-month period, during which time the researchers from University of California, Berkeley, and George Mason University – Chris Grier, Damon McCoy, Vern Paxson and Kurt Thomas, with help from others – made biweekly purchases from 27 sellers of Twitter accounts.

By the end of the study, the researchers had purchased more than 120,000 “dummy” Twitter accounts for just under $5,000. In addition, they reported their findings to Twitter, which suspended more than 95 percent of the suspect accounts, including the ones under the researcher's control.

“The thing I found a little shocking is that these sellers were responsible for between 10 and 20 percent of spam accounts,” McCoy, who help present the findings this week at the USENIX Security Symposium in Washington, D.C., told

The market is fairly above ground too, according to McCoy, so the researchers were able to discover sellers through simple Google searches. When asked, the merchants were able to provide thousands of accounts within 24 hours, with accounts priced anywhere from two to ten cents each.

The fraudsters were able to acquire many accounts in a relatively short period of time, largely though automated processes that circumvent Twitter's authentication features, McCoy said. This includes programs that solve CAPTCHAs and verify Twitter accounts with email addresses.

Twitter flags as suspicious when too many accounts are created from a single IP address, and McCoy said the sellers likely rented IP addresses as proxies, which allow them to evade network blacklisting.

Twitter accounts are easier to create and require users to jump through fewer hoops than those for other similar services, such as Google. The going rate for a bundle of a thousand Twitter accounts is about $20, McCoy said, while a package of a thousand Gmail accounts sell in the hundreds of dollars.

To help put a damper on spam account creation, the researchers offered suggestions to Twitter, such as requiring reauthorization via email and verification via phone.

Twitter, and many other social media organizations, traditionally detect spam accounts by analyzing users' behavior. Spammers typically have a high distribution of posts, include URLs in their posts and have phony looking profiles. Twitter recently integrated a 'report abuse' feature, partly to battle spammers.

The purpose for users obtaining these accounts is typically malicious in nature, McCoy said, explaining the accounts are used predominately to distribute scams, malware and phishing attacks.

Twitter did not respond to an inquiry from, and although he could not speak on its behalf, McCoy said Twitter “wants to reduce the level of spam and give users a better experience. They were great at collaborating with us. Internally, they're making use of [our] data to find fraudulent accounts.”

McCoy could not comment specifically the legality of creating Twitter accounts meant for malicious purposes, but said that selling them appears to be only a minor infraction per Twitter's terms of service, and that many sellers remain in this business.

“I think where they would run afoul is where they get their IP addresses,” McCoy said, adding that that would have nothing to do with Twitter.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.