Researchers have uncovered a huge botnet that mimics legitimate accounts on Twitter to spread a cryptocurrency "giveaway" scam.
As reported by ITPro, the discovery was made during a research effort by Duo Security that looked at 88 million Twitter accounts from May to July and used machine learning to identify bots, malicious or otherwise, on the social media platform.
The team notably found a single network of over 15,000 bots in a three-tiered structure that spread the fake cryptocurrency giveaway, and further evolved as time passed in order to avoid detection.
The Duo team described how the botnet works in a paper to be presented at the 2018 Black Hat cybersecurity event on Wednesday.
Typically, they write, bots first create a spoofed (or copycat) account for a genuine cryptocurrency-related account that would copy the name and profile picture of the legitimate account.
To spread the fake giveaway scam, the bots would reply to tweets posted by the legitimate account, containing a link to entice Twitter users to the scam.
Adding to the complexity, many spoof accounts followed what the researchers termed "hub accounts" and suspect are followed "in an effort to appear legitimate".
The botnet also employed "amplification bots" – other fake accounts that are used to give "likes" to scam tweets to "to artificially inflate the tweet's popularity [and] make the cryptocurrency scam appear legitimate."
The paper states:
"[Searching for connected bots] resulted in a 3 tiered botnet structure consisting of the scam publishing bots, the hub accounts (if any) the bots were following, and the amplification bots that like each created tweet. The mapping shows that the amplification bots like tweets from both clusters, binding them together."
Intriguingly, the team found that the discoveries allowed them to connect the bots in a way "that can result in the unraveling of the entire botnet."
While Twitter has been making moves to clamp down on such cryptocurrency scams, Duo writes in its conclusion that the work shows that botnets are still active and can be discovered by "straightforward analysis."
"We don't consider the problem solved," they said.
Going forward, Duo plans to open source the techniques described in the paper in the hope that new techniques can be developed to identify malicious bots, and help "keep Twitter and other social networks a place for healthy online discussion and community."