Elon Musk was right. Twitter is loaded with junk accounts.
When the mercurial billionaire tried to wiggle out of purchasing the social network last summer, he said that Twitter was loaded with spam and bots. Some data indicated that he might have been correct about Twitter’s spam problem. In recent research cited by the AP, 9-15% of Twitter accounts were inauthentic.
Now, new data acquired by Cybersixgill appears to confirm that a significant portion of inauthentic Twitter accounts may have been built with tools and services found on the deep and dark web. And the problem is getting worse.
More followers and activity on any social media platform lead to more engagement. On the underground, Twitter users can purchase bots to inflate their followers and activities, such as likes and replies. This can enable them to churn out spam or to simulate a community. Alternatively, they can simply purchase pre-made accounts with the followings.
Twitter bots interact with the platform to perform automated actions at scale. For example, one bot sold on underground forums (figure 1) advertises mass subscriptions, likes, retweets, comments, and tweets, as well as the ability to change the profile’s username, name, and description. In essence, this allows the bot’s user to operate a firehose of activity, spamming however they desire.
Another bot (figure 2), sold for $100, alleges to automatically perform follows, likes, and retweets to a user or a tweet. The buyer of the bot receives the source code, allowing them to tinker with it as they need.
Twitter accounts with significant followings are more respected, and their posts have higher rates of engagement. Offering a shortcut to these ends, many services on the underground promise to grow an account’s following.
One tool, for example (figure 3), enables users to add 1,500 followers a day on Twitter (as well as Youtube and Instagram).
Another follower inflation service (figure 4) hosted a giveaway in which the winners would receive 1,000 followers.
However, thousands of followers are not enough for some users. For example, one user (figure 5) wanted to purchase “1 million high-quality twitter followers” and received several responses to this solicitation.
Instead of growing a large account via purchasing bots and followers, many may buy accounts that have already been cultivated. Buyers of these accounts receive their usernames, passwords, and complete control. (Some actors that participated in a popular forum for selling accounts took a central role in the hack of celebrity Twitter accounts in July 2020.)
One actor (figure 6) posted a handful of accounts for sale at prices ranging from tens to hundreds of dollars. These accounts were largely crypto/NFT-themed, each with thousands to tens of thousands of followers.
In another example (figure 7), an actor sought to sell an account with 45,000 followers for $450.
Even more maliciously, the deep and dark web provides an environment where actors can traffic compromised Twitter accounts and the tools and services necessary to perform account takeovers.
Those with a DIY approach to hacking can find many combolists--databases with known username-password combinations. Many combolists allege to include hundreds of thousands or even millions (figures 8-10) of Twitter credentials, though these are presumably old or unvalidated.
To validate credentials from a combolist, actors need to use a credential stuffing tool, which is known as a checker. One can find many Twitter checkers shared on underground forums (figures 11-13).
Alternatively, those that want to purchase already compromised accounts can buy logs--validated credentials for Twitter. For example, this actor sells Twitter logs (figure 14) alongside those of popular social media and payment platforms.
Many actors seek to buy logs, whose value is connected to the account’s number of followers (figures 15-16).
These accounts could have been compromised in several ways. One is through the credential stuffing. Another is if they belonged to compromised endpoints on access markets, which sell access to or data stolen from infected machines. Logs harvested through access markets can also include cookies, system, and IP information, allowing actors to evade MFA and other compromise detection mechanisms.
A massive number of Twitter accounts could have been compromised this way: out of the over 2,146,000 compromised machines sold on access markets over the last year, a whopping 435,000 (20.3%) included access to a Twitter account.
If an actor wishes to target a specific Twitter account, they can find hacking services on the underground. One actor, for example (figure 17), promises to hack any social media account within 24 hours, with pricing set depending on the account type and the number of followers.
Other actors (figure 18) offer services to get any profile banned.
Scraping is a popular method of autonomous data extraction and collection in which a threat actor captures and aggregates publicly available data and dumps it into a large, structured, and useable database. It is relatively simple to execute; instead of breaking into a server or database, the threat actor exploits platform vulnerabilities to gather publicly available data.
Scraping is a prevalent threat to social media accounts. For example, in June 2021, an actor posted a 10 million LinkedIn accounts database on an underground forum. Threat actors can use scraped data for spam, phishing, social engineering, and identity theft.
It is possible to find scraped data of millions of Twitter accounts shared on the underground (figures 19-20).
Furthermore, there are scraping tools available for purchase (figure 21).
Twitter is more than just a platform; it’s an ecosystem. It hosts users who want to share opinions or influence others who seek learning, information, and entertainment.
However, it also hosts many bottom-feeders: grifters, spammers, and those spreading misinformation and hate. The impact of their activities ranges from hurting the user experience to violating Twitter’s terms of service to outright illegal.
These threat actors will watch all of the changes that Musk and his team introduce to the platform and seek new, creative ways to exploit them. Indeed, the launch of Twitter Blue's $8 verification service immediately led to a fiasco of fake verified accounts that impersonated public figures and even Twitter itself. However, while the attack exploited a new feature, in our understanding its techniques of building large accounts quickly relied heavily on existing toolboxes of account amplification and takeover. Many of these attackers, in fact, could have used tools and services that they found on the underground.
Twitter’s new management must recognize that many of the threats observed on the surface--and others about which they might have been unaware--have bubbled up from the deep and dark web. Only by taking a proactive approach to monitoring this realm can they restore Twitter to the digital town square it strives to be.