Introduction

Twitter is a nice place that differs from any other social network. What people say there has a more impact on the trust than most of other places (like Facebook). People take what others say seriously and even more if the number of followers of that account is a pretty big number.

Any Twitter user is tempted to follow people who have a lot of followers. There is a little more trust on big followers accounts than those who have a few. This concept happens here, on other networks, and even in real life. Of course it’s different among people, but the average Twitter user behaves this way. When you start using it, you tend to see how many people are following you, so you might convince yourself to keep using it. This is why I started to watch the profiles of almost every new follower and at some point it gave me a surprise. One of my followers was a user whose profile have tons of Tweets like this:

I like this song: “youtube link here”

Not only a couple but hundreds of them! That was the first time I saw a boot on Twitter. I reported the user as spam, blocked it and moved on. This experience has repeated in something like once a month. It was OK, nothing new, just keep blocking and moving on.

But then I saw a different one. The latest Tweet of this account was like a giant “I’m spamming” poster but the rest were like a lot of human phrases that were cleverly repeated. Before doing the normal report, I saw a disturbing Twit. It was a phishing attack. That phishing account give me a lot of anger. Because it was going (and certainly had been) read by real people which could be fooled by a damn bot! It was the straw that broke the camel.

A normal report and blocked account wasn’t going to help anybody. The account may get closed but others would appear instead and keep fooling people. So this is where my research began.

Research

I started to search for patrons. Why was this account opened and what was the work-flow used here? It was pretty clear about the phishing account but not the only-spam accounts.

Finding more spam accounts was not so difficult. The number of Retweets were too much for the poor content that the Tweets were giving. A click on “RETWEETS” was enough to found a horde of spam accounts. There were two kinds of accounts:

  • Worms, the one with content (Tweets with phrases and spam links) and
  • Birds, the one who only follow the prior one and do never Tweet or Retweet

I decided to call one type “Worms” and other “Birds” just to make it easy on the next paragraphs to reference them.

Worms

Worms are used to Tweet phrases and Retweet Tweets that contain the link to the final spam site.

Another characteristic is that all of them have an avatar (I’ll talk about it later) and some of them a bio (information that users enter to describe them).

These personalized accounts are also used to follow real people accounts. Some of this real people accounts are from stupid people who actually pay to gain followers.

Most Worms have an underscore _ randomly generated as their Twitter ID and a real name selected from a word dictionary as the actual name. e.g. Elisha @_sharply_ or Jennie @L3_lucky_.

Birds

Birds, on the other hand, are used just to gain credibility to the Worms accounts, so when a real user sees those tweets are more confident to click on them.

These accounts have only two necessary properties for every Twitter account to exist, the default avatar that any new Twitter account has (fingerprint with a random color) and a fake name randomly generated.

I’ll leave the Birds behind and talk only about Worms next.

Avatars

Not the ones from the movie but the main picture of a Twitter account.

Every Twitter profile has a main picture so everyone can differentiate from others to be recognized. Spam accounts are not the exception but they make use of real people pictures. That is sad but it happens 100% of the time on Twitter. Photos who are proved to be “nice”, like beautiful girls that some dude will just “click on it”, are the most used (yeah, ugh!).

After making a kinda extensive search using the “Search by image” from Google Images looking by the avatars from the spam accounts, interesting results showed up. The avatars were commonly repeated among spam accounts on Twitter. But it also brings useful information about the source of the picture. Most of this pictures were coming from the following sites:

  • weheartit.com
  • tumblr.com
  • pinterest.com

NOTE: it is in reverse alphabetical order to annoy a bit :D

I’m not mentioning (not even implicitly) that these sites are only nice spam tools nor qualifying their spam and privacy policies. But they definitely are nice tools for creating spam accounts.

Spam tools

Why are the previously mentioned sites nice spam tools? Well, they give an interesting attribute to pictures, something which can be used to qualify them. In fact, they have “scores”. When more people like the picture, the more scores it has. Scores are called different among the sites. For instance, weheartit call them “hearts”, tumblr “likes” and pinterest “pins”.

It’s very important to note that the three sites provide useful search tools. A quick search for “beauty girls” in any of these sites will bring several pictures of girls that most of the people may consider beauty. Without mentioning the set of filters that you may apply (popularity, categories and more).

That is why they are indeed nice spam tools. The above sites enable a machine to get the “best pictures“ (the one with more favorites, likes or whatever name do they use).

Evidence

Spam accounts have similar alerting numbers:

  • Between 100 and 300 Tweets and
  • A ratio of 4 to 5 followers approx. per account following. e.g. 6000 following; 7500 followers

It is easy to see note them when you see the number of followers that they have in a short period of time:

followers list scalated quickly

As you can see in the previous image, no human can start following 150 persons in a day.

Here is an example for how ridiculously can an account increase it numbers in a matter of seconds wasting money on Facebook:

facebook account for mtv news

This is the website given on a link from a Twitter spam account:

website diet-news.us

The following picture shows a spam account being used to promote site content:

facebook widget in external website showing spam account liked it

Do you want to know the actual Twitter account? Here you go: https://twitter.com/sharply

Here is another spam account and its Avatar source links:

  • Twitter account: https://twitter.com/L3lucky
  • Avatar in weheartit: https://weheartit.com/entry/74923151
  • Avatar in pinterest: https://www.pinterest.com/pin/482025966338609191/
  • Avatar in a tumblr powered site: http://tatt0osandpiercings.tumblr.com/post/59576082561
  • Avatar around the web: http://www.avant-garb.co.uk/engine/plog-content/thumbs/female-megas/face/small/5864-29aug-76.gif

You can check the Avatar in the Twitter account is exactly the same picture found in the others site. Horrible.

I feel deeply sad about the real persons behind the pictures, who are actually the most affected.

Hope

From the beginning of my research, a bunch of Twitter spam accounts have been closed.

And for that I would like to thank Twitter users who press the “report” button having an extraordinary consequence and the Twitter team who take quick actions. I hope to make the Internet a better place :-)

Here is a list which, by the time I am writing, they were disabled:

  • https://twitter.com/_g3t__ride__
  • https://twitter.com/_x3beside
  • https://twitter.com/coughdeep
  • https://twitter.com/_rise
  • https://twitter.com/_paternaIistic
  • https://twitter.com/texture_l0l
  • https://twitter.com/_cIutched
  • https://twitter.com/_suIIies
  • https://twitter.com/FlTNESS
  • https://twitter.com/PIayboyMag
  • https://twitter.com/DrOzFitness
  • https://twitter.com/ReaIMTVNews
  • https://twitter.com/BreakingNewsUN
  • https://twitter.com/ReallyTMZ

Lessons

For Twitter users:

Do NOT pay for followers! If you do so, you are not only damaging your reputation but also ruining the whole ecosystem. If you think that a number in the “followers” box is the key, you’re doing it wrong. Interactions with real people is the key and there is no way you can buy them. At least at the moment no bot can interact with humans like humans do.

For Web developers:

Please, do not be the next weheartit or pinterest. Provide useful and easy-to-use tools to users protecting their privacy and reducing bots efficiency. If users are your company value, at least pretend that you care about them!

For everybody:

Please, think twice before publishing photos of yourself with a public online scope! By doing so, you should be aware that there are awful people who could use it for advertising all sort of stuff.

A way to prevent this is limiting the audience to only your very known contacts. If the site that you’re using does not allow this, you may consider to stop using it.

Thanks

Follow me @delucioux - not gonna pay for it ;)