Don’t @ Me: Hunting Twitter Bots at Scale by Duo Security’s Jordan Wright and Olabode Anise is 46 pages of intense fine-tooth combing of data related to the phenomenon of Twitter bots. “Social networks allow people to connect with one another, share ideas, and have healthy conversations. Recently, automated Twitter accounts, or ‘bots,’ have been making headlines for their effectiveness at spreading spam and malware, as well as influencing this online discussion,” the authors began.
Over three months on their way to present findings at Black Hat USA 2018, researchers detail how they “identified botnets, including a spam-spreading botnet case study,” Mr. Wright and Mr. Anise explain, though they “specifically looked for automated accounts, not necessarily malicious automated accounts.”
Their key findings, published open source, were achieved as they “gathered a dataset of 88 million public Twitter profiles consisting of standard account information represented in the Twitter API, such as screen name, tweet count, followers/following counts, avatar and description. As API limits allow, this dataset was enriched with both the tweets posted by accounts, as well as with targeted social network information (follower/following) information. Practical data science techniques can be applied to create a classifier that is effective at finding automated Twitter accounts, also known as ‘bots.’”
Duo Security is based in Ann Arbor, Michigan, and just this month announced being acquired by Cisco. Cisco is interested in the firm because of its zero-trust authentication solution in order to buttress Cisco’s own network and cloud security offerings. The deal is worth well over $2 billion, and is expected to finalize in late October of the present year.
Case Study of At Least 15,000 Bots Spreading a Cryptocurrency Scam
“By monitoring the botnet over time,” the researchers continued, “we discover ways the bots evolve to evade detection. Our cryptobot scam case study demonstrates that, after finding initial bots using the tools and techniques described in this paper, a thread can be followed that can result in the discovery and unraveling of an entire botnet. For this botnet, we use targeted social network analysis to reveal a unique three-tiered hierarchical structure.”
Furthermore, the paper “provides an in-depth description of the entire process for finding Twitter bots, from gathering the data to performing the analysis.” Many of Duo Labs employees “use Twitter as a way to connect to the infosec industry. We were familiar with automated Twitter accounts, and had read previous academic papers covering both techniques on building a dataset of Twitter accounts as well as using various techniques to identify automated accounts from a previously shared dataset.”
For its part, “Twitter announced that they are taking more proactive action against both automated spam and malicious content by identifying and challenging ‘more than 9.9 million potentially spammy or automated accounts per week.’ In a follow-up blog post, Twitter also described their plans to remove accounts that had been previously locked due to suspicious activity from follower counts,” the researchers noted.
The team doesn’t consider the problem solved, however. “We’re excited to see these efforts by Twitter and are hopeful that these increased investments will be effective in combating spam and malicious content,” they laud. Still their case study “demonstrates that organized botnets are still active and can be discovered with relatively straightforward analysis. By open-sourcing the tools and techniques developed during this research, [they] hope to enable researchers to continue building on [their] work, creating new techniques to identify and flag malicious bots, and helping to keep Twitter and other social networks a place for healthy online discussion and community.”