Researchers Put a Dent in the Twitter Underground

A USENIX paper presented yesterday explains how a team of researchers was able to disrupt a small portion of the underground merchants selling fraudulent Twitter accounts.

Fraudulent Twitter accounts are a booming business, accounting for significant underground money for spammers, fake antivirus scams, drive-by downloads and phishing schemes. But research presented at USENIX yesterday proposes a means for driving up the cost for attackers to get these campaigns off the ground.

Vern Paxson of the International Computer Science Institute and Chris Grier of UCal-Berkeley, who presented at USENIX, along with Kurt Thomas of UC-Berkeley, Damon McCoy of George Mason University and Alex Kolcz of Twitter, developed what they called a classifier they hope will soon be integrated by Twitter into its registration process. The tool, the researchers said identifies potentially fraudulent accounts as they’re automatically being registered by a criminal.

“Our technique relies on identifying patterns in the naming conventions and registration process used by [fraud] merchants to automatically generate accounts,” the researchers wrote in the paper they presented at USENIX. With Twitter’s permission, the classifier was used retroactively on Twitter accounts registered in the 10 months leading up to this April. Several million registrations were flagged as fraudulent, the paper said.

“Our detection framework begins by leveraging the limited variability in naming patterns used by account generation algorithms which enables us to automatically construct regular expressions that fingerprint fraudulent accounts,” the researchers wrote.

The regular expressions are generated based on complicated structure of identifying character classes used in short screen names, looking for character lengths, repeated text strings between multiple accounts and other characteristics they refined to build a profile that is then applied to 27 known fraud merchants with whom the researchers established buying relationships with.

The 27 fraud merchants, the researchers said, were responsible for millions of fraudulent Twitter accounts, 95 percent of which were suspended by Twitter. The team of researchers estimates that this relatively small number of merchants was responsible for up to 20 percent of the phony accounts registered on Twitter during the 10 months the study took place and that the fraudsters earned close to $500,000 during that timeframe. After the initial suspensions, the team bought more fraudulent accounts, 90 percent of which were immediately suspended by Twitter, causing some fraud merchants to temporarily stop selling Twitter accounts.

The team said the market did begin a recovery shortly thereafter; another 6,800 accounts were purchased two weeks later and only 54 percent were immediately suspended.

“As such, long term disruption of the account marketplace requires both increasing the cost of account registration and integrating at signup time abuse classification into the account registration process,” the researchers wrote.

Underground merchants are finding huge profits in selling Twitter credentials, bolstered by using services that bypass CAPTCHA protection or techniques such as spreading phony accounts across thousands of IP addresses they control to sidestep Twitter’s blacklist controls, the researchers said. The accounts were selling at a range of $10-$200 per thousand accounts. For this study, the researchers monitored the 27 merchants—finding them via Web storefronts, black hat forums and elsewhere on the Web—and purchased fraudulent Twitter accounts every two weeks, amassing 121,027 accounts from June 2012 to April of this year.

“Our findings show that merchants thoroughly understand Twitter’s existing defenses against automated registration, and as a result can generate thousands of accounts with little disruption in availability or instability in pricing,” the researchers wrote. “In order to fulfill orders for fraudulent Twitter accounts, we find that merchants rely on CAPTCHA solving services; fraudulent email credentials from Hotmail, Yahoo, and mail.ru; and tens of thousands of hosts located around the globe to provide a diverse pool of IP addresses to evade blacklisting and throttling.”

While the researchers estimate the cost of a fraudulent Twitter account to be pennies per account, some of the merchants they dealt with in the research also sold Facebook, Google, Hotmail and Yahoo accounts; Facebook accounts start at 45 cents per account and can get as high as $1.50 for a phone-verified account while Google phone-verified accounts are 50 cents. Hotmail and Yahoo accounts, the researchers said, are in the same pricing ballpark as Twitter accounts. They did not have permission, however, from those Internet companies to vet credentials for those accounts as they did with Twitter.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.