The Siren botnet managed to generate over 30 million user clicks until its fake social media accounts and shortened URLs were removed by Twitter and Google.
The Siren botnet managed to generate over 30 million user clicks until its fake social media accounts and shortened URLs were removed by Twitter and Google.

A social media botnet that spammed Twitter accounts with links to pornographic content sent out more than 8.5 million posts from 90,000 unique accounts before it was neutralized, according to a new report.

The botnet, dubbed Siren (as in the seductive mythical creatures who lured sailors to their doom), generated one of the largest malicious campaigns ever recorded on a social network, according to social media security firm ZeroFOX, whose team uncovered the botnet. What's more, ZeroFOX has linked this social media campaign to an email spam botnet operation that was reported on earlier this year by security researcher and blogger Brian Krebs.

In a blog post published this week, ZeroFOX provided detailed analysis of the Siren operation, which elicited over 30 million user clicks from February to June/July 2017, earning the spammers payouts via affiliate marketing campaigns that promote subscription pornography, webcam and fake dating websites. ZeroFOX noted that while these sites are not illegal, they are generally scams and tend to misuse subscribers' personally identifiable information, causing them to be bombarded with even more spam.

ZeroFOX began probing the botnet earlier this year when several of its clients reported receiving similar unwanted Twitter spam messages featuring a woman's name and photo, a sexually explicit phrase, and a call to action designed to get the recipient to click on a link leading to even more explicit content.

"The accounts either engage directly with a target by quoting one of their tweets or attracting targets to the payload visible on their profile bio or pinned tweet," the blog post stated. 

Philip Tully, principal data scientist at ZeroFOX, told SC Media in an interview that the spam volume became especially heavy starting in April. "It started to get to point where on any given day, you would have 400, 500 thousand of these links being distributed within the course of a few hours," said Tully. "It wasn't your run-of-the-mill operation... This was some form of automation. There's no way a human or group of humans could distribute those [messages] in that time period."

According to Tully, over 80 of the fake Twitter accounts were found to be newly created, while somewhere between 15 to 20 percent appeared to be older – up to seven years older. "This could indicate the fact that these accounts were hijacked" from legitimate users, Tully said. Or, these accounts could have been deliberately aged to stand a better chance of bypassing Twitter's filters as well as to seem more trustworthy to other Twitter users, he added.

The botnet utilized URL shorteners provided by Twitter and Google, sending users who clicked on its links through various redirects in order to shield the destination of these links from anti-spam services. ZeroFOX contacted both Twitter and Google, which reportedly incapacitated the botnet by removing the offending accounts and shortened links.

ZeroFox further reported that the Siren campaign beared the hallmarks of Eastern European actors, noting the fake Twitter messages' broken English and occasional use of Cyrillic text, and the fact that this region is known to have infrastructure that is capable of hosting such proficient spam campaigns.

But there is an American connection as well: some of the websites that the botnet directed users to are part of a network of sites linked to a California-based company called Deniro Marketing. In his own June 2017 blog post, Brian Krebs reported that a large email-based spam botnet campaign was also sending recipients to porn and dating websites linked to this very same company.

"Although the Twitter botnet discovered by ZeroFOX has since been dismantled, it not hard to see how this same approach could be very effective at spreading malware," Krebs wrote in a follow-up blog post that addressed the Siren campaign.

According to Krebs, the botnet responsible for the email campaign at one point in October 2016 had recruited more than 1.2 million machines or servers to actively serve out spam.