After a US-based digital security company alerted Twitter about a massive botnet campaign promising online sex to its users, the micro-blogging website has removed nearly 90,000 such fake accounts.
Dubbed as ‘SIREN’, the fake botnet campaign was discovered by ZeroFOX, a Baltimore-based security firm specialising in social-media threat detection.
“To our knowledge, the botnet is one of the largest malicious campaigns ever recorded on a social network,” ZeroFOX wrote in a blog post.
ZeroFOX’s computer vision and natural language processing algorithms identified over 8,500,000 tweets from close to 90,000 accounts related to the ‘SIREN’ campaign.
“‘SIREN’ has been incredibly successful, netting over 30,000,000 clicks from its victims. This data can be gleaned because the botnet uses trackable, Google shortened URLs,” ZeroFOX added.
ZeroFOX last week reported the findings to both the Twitter and Google security teams, who promptly removed the offending accounts and links, comprehensively remediating the ‘SIREN’ botnet.
All of the nearly 90,000 accounts had a suggestive photo of a woman as a profile picture and a female name as the display name.
The accounts either engaged directly with a target by quoting one of their tweets or attracting targets to the payload visible on their profile bio or pinned tweet.
The tweets themselves generally contained canned, sexually-explicit text, often in broken English, compelling the target to click, such as “you want to meet with me?” or “Push, don’t be shy” [sic].
Once a link is clicked, the user is issued a series of redirects.
The final redirect websites encouraged the user to sign up for subscription pornography, webcam or fake dating websites.
“These types of websites, although legal, are known to be scams. Many of the websites’ policies claim that the site owners operate most of the profiles,” the blog post said.
A large percentage of the bots were female names with nude or semi-nude pictures.
In terms of the ‘SIREN’ actors themselves, a large chunk of the Twitter accounts’ self-declared user languages were Russian.
“The poor English, Cyrillic text and sheer magnitude of the infrastructure is indicative that ‘SIREN’ is a group or actor that is technically proficient and probably located in the Eastern Block of Europe,” ZeroFOX said.
The botnet is named after the mythical Greek Sirens, who seduced wayward sailors with their singing and lured them to their doom.