Suspicious likes lead to researcher lighting up a 22,000-strong botnet on Twitter

Botnets are fascinating to me. Who creates them? What are they for? And why doesn’t someone delete them? The answers are probably less interesting than I hope, but in the meantime I like to cheer when large populations of bots are exposed. That’s what security outfit F-Secure’s Andy Patel did this week after having his curiosity piqued by a handful of strange likes on Twitter .

Curious about the origin of this little cluster of random likes, which he just happened to see roll in one after another, he noticed that the accounts in question all looked… pretty fake. Cute girl avatar, weird truncated bio (“Waiting you”; “You love it harshly”), and a shortened URL which, on inspection, led to “adult dating” sites.

So it was a couple bots designed to lure users to scammy sites. Simple enough. But after seeing that there were a few more of the same type of bot among the followers and likes of these accounts, Patel decided to go a little further down the rabbit hole.

He made a script to scan through the sketchy accounts and find ones with similarly suspicious traits. It did so for a couple days, and… behold!

This fabulous visualization shows the 22,000 accounts the script had scraped when Patel stopped it. Each of those little dots is an account, and they exhibit an interesting pattern. Here’s a close-up:

As you can see, they’re organized in a sort of hierarchical fashion, a hub-and-spoke design where they all follow one central node, which is itself connected to other central nodes.

I picked a few at random to check and they all turned out to be exactly as expected. Racy profile pic, random retweets, a couple strange original ones, and the obligatory come-hither bio link (“Do you like it gently? Come in! šŸ’ššŸ’ššŸ’š”). Warning, they’re NSFW.

Patel continued his analysis and found that far from being some botnet-come-lately, some of these accounts ā€” and by some I mean thousands and thousands! ā€” are years old. A handful are about to hit a decade!

The most likely explanation is a slowly growing botnet owned and operated by a single entity that, in aggregate, drives enough traffic to justify itself ā€” yet doesn’t attract enough attention to get rolled up.

But on that account I’m troubled. Why is it that a single savvy security guy can uncover a giant botnet with, essentially, the work of an afternoon, but Twitter has failed to detect it for going on ten years? Considering how obvious bot spam like this is, and how easily a tool or script can be made that walks the connections and finds near-identical spurious accounts, one wonders how hard Twitter can actually be looking.

That said, I don’t want to be ungenerous. It’s a hard problem, and the company is also dealing with the thousands and thousands (maybe millions) that get created every day. And technically bots aren’t against the terms of service, although at some point they probably tip over into nuisance territory. I suppose we should be happy that the problem isn’t any worse than it is.