Botnets Have Infiltrated The Twitterverse

Uploaded on 2017-02-07 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, TECHNOLOGY-Key Areas-Social Media

The rise of the Twitter bot has plagued the online world in recent years. These are Twitter accounts that are automated and require little or no human intervention. Many are entirely legitimate, publishing headlines and links to news stories.

But others are malicious. These Twitter bots produce spam, provide fake followers for anybody willing to pay, and can manipulate debates and public opinion in insidious ways that are hard to track and prevent. The effects of large swarms of Twitter bots, so-called botnets, are largely unknown.

That’s why Twitter has an ongoing program to detect and remove malicious bots. But as soon as a new technique becomes available to identify these accounts, bot-masters modify and upgrade their charges to avoid detection.

The truth is that nobody knows how many Twitter bots are out there or how big the botnets have become.

Except now, thanks to the work of Juan Echeverria and Shi Zhou at University College London. These cybersecurity experts have stumbled across a Twitter botnet consisting of more than 350,000 automated accounts, a network of almost unimaginable proportions, that has existed undetected since 2013. They call this network the “Star Wars botnet” and say that its longevity raises serious questions about the potential impact of botnets and the way they are tracked and monitored.

Echeverria and Zhou discovered this botnet almost by accident. Interested in finding automated accounts, the researchers began by downloading details of six million English-speaking Twitter accounts that they randomly selected. That’s about 1 percent of the total number of Twitter accounts.

Twitter allows the most recent 3,200 tweets to be downloaded along with any geo-tags attached to the tweets. This allowed Echeverria and Zhou to map the locations of all these tweets. That’s when they noticed something strange.

For the most part, the geographical distribution of tweets matches the global population distribution. In other words, tweets are more common in densely populated areas like cities. But the researchers also noticed a significant number of tweets, some 23,000 of them, that were geo-located in uninhabited regions close to Europe and the US, such as in deserts and in oceans.

When plotted on a map, these locations were bounded by sharp edges and corners that formed two rectangles, one around the US and the other around Europe. “We conjectured that the map shows two overlapping distributions,” say Echeverria and Zhou. They thought that one set of tweets must be from real users and so coincided with the population distribution.

But the other must have been created by Twitter bots randomly choosing locations in the two rectangles. The goal, thought Echeverria and Zhou, was to convince other Twitter users that the tweets were created in the two continents where Twitter is most popular.

A simple assessment of the 3,000 accounts that created these tweets showed they had much in common. These accounts had never published more than 11 tweets, they never had more than 10 followers and less than 31 friends. They were all produced by Twitter for Windows phones.

But reading the tweets, Echeverria and Zhou realized that they all contained random quotations from Star Wars novels with hashtags inserted at random.  A typical tweet is: “Luke’s answer was to put on an extra burst of speed. There were only ten meters #separating them now.”

At this point, Echeverria and Zhou conjectured that they had stumbled across a single botnet, presumably controlled by a single bot-master. This botnet was obviously large since 3,000 bots had appeared in a random search. And that raised an obvious question: just how big was this botnet?

To find out, the researchers trained a machine-learning algorithm to recognize Star Wars bots and set it loose on a much larger database of 14 million English-speaking Twitter users.

The results were a shock. The machine-learning algorithm, with the help of some manual filtering, found some 350,000 accounts that had the same characteristics. These accounts had never tweeted more than 11 times, had fewer than 31 friends and were all produced by Twitter for Windows Phone.

What’s more, this entire botnet was created in just a few days in June and July 2013. At the time, it produced 150,000 tweets a day.

Then it stopped. “When the creation of new Star Wars bots stopped on 14 July 2013, all the bots suddenly fell silent and remained so ever since,” say Echeverria and Zhou.

But the accounts have not been closed down or deleted. They could all tweet at a moment’s notice, should the bot-master so decide. Echeverria and Zhou say the bots have avoided detection because they were deliberately designed to keep a low profile. “It seems the Star Wars bots were deliberately designed to circumvent many of the heuristics underlying previous bot detection methods,” say Echeverria and Zhou.

The bots do this by tweeting quotes from novels to avoid machine-generated language, which can be easily detected. They never tweet urls or mention other Twitter users. And they have tweeted only a few times each to avoid detection for over or under use.

So what might these fake Twitter accounts be for? Although the accounts have been silent for some time, this makes them valuable since they are less likely now to be labeled as fake. For this reason, pre-aged bots have significant value on the black market.

Echeverria and Zhou say that about 15,000 of the Star Wars bots have followers from outside the botnet. “The only plausible explanation is that these bots have already been sold as fake followers,” they conclude. So whoever owns this botnet is already cashing in.

But it is possible that the entire botnet could be for sale. “What if someone offers a good price for purchasing the control of the whole botnet?” ask Echeverria and Zhou.

Clearly, the discovery of this giant botnet raises important questions about the extent to which the Twitter-verse has been infiltrated by bots that can influence the dynamics of conversations, opinions, and even elections. The work leaves open the crucial question of who set up this botnet and why.

And the story doesn’t end there. For anyone who thinks this is as big as secret Twitter botnets are likely to get, Echeverria and Zhou have bad news. “We have recently discovered another botnet with more than 500k bots, which will be reported shortly,” they say.

Technology Review:            The Global War of Narratives and the Role of Social Media:     

You Should Not Trust The Media:
 

« Lloyds Bank Cyber Attack
Cyber Security Protection For Business »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Cyber Security Experts Association of Nigeria (CSEAN)

Cyber Security Experts Association of Nigeria (CSEAN)

Cyber Security Experts Association of Nigeria (CSEAN) is a not for profit group of professionals in the field of Information Security in Nigeria and Diaspora.

Kroll

Kroll

Kroll provides clients a way to build, protect and maximize value through our differentiated financial and risk advisory and intelligence.

AppSec Labs

AppSec Labs

AppSec Labs specialise in application security. Our mission is to raise awareness in the software development world to the importance of integrating software security across the development lifecycle.

CSI

CSI

CSI is a Managed Service Provider (MSP) delivering Hybrid Multi-Cloud, Data Protection, and Cyber Security solutions to highly regulated industries.

Trusted Knight

Trusted Knight

Trusted Knight is a leading provider of security software solutions focused on defeating newly developed malware and crimeware trojans.

Innovative Solutions (IS)

Innovative Solutions (IS)

Innovative Solutions is a specialized professional services company delivering Information Security products and solutions for Saudi Arabia and the Gulf region.

ITonlinelearning

ITonlinelearning

ITonlinelearning specialises in providing professional certification courses to help aspiring and seasoned IT professionals develop their careers.

Newtech Recycyling

Newtech Recycyling

Newtech Recycyling specializes in the removal and disposal of IT infrastructure which has reached the end of its life cycle.

Adlumin

Adlumin

Adlumin Inc. provides the enterprise-grade security operations platform and managed detection and response services that keep mid-market organizations secure.

Envieta

Envieta

Envieta is a leader in cryptographic solutions. From server to sensor, we design and implement powerful security into new or existing infrastructure.

Airnow Cybersecurity

Airnow Cybersecurity

Airnow Cybersecurity provide digital cybersecurity services and solutions for organizations and app publishers.

Maritime Transportation System Information Sharing and Analysis Center (MTS-ISAC)

Maritime Transportation System Information Sharing and Analysis Center (MTS-ISAC)

MTS-ISAC promotes and facilitates maritime cybersecurity information sharing, awareness, training, and collaboration efforts between private and public sector stakeholders.

Softwerx

Softwerx

Softwerx is the UK’s leading Microsoft cloud security practice. We’ve been helping forward-thinking companies better secure their businesses for nearly twenty years.

Brightsolid

Brightsolid

Brightsolid are experts in Hybrid Cloud. We design, build and manage secure, scalable cloud environments that meet customers’ business ambitions.

EtherAuthority

EtherAuthority

EtherAuthority's engineering team has been helping blockchain businesses to secure their smart contract based assets since 2018.

O'Reilly Media

O'Reilly Media

O’Reilly’s help professionals learn best practices and discover emerging trends that will shape the future of the tech industry.