Duo unravels massive three-tiered ‘crypto-giveaway’ botnet

Researchers used a machine learning model to weed through 88 million Twitter accounts for bots and spammers

Researchers have uncovered a sophisticated botnet perpetuating a cryptocurrency scam in one of the most wide-reaching studies of the Twitter ecosystem to date.

Comprised of at least 15,000 bots in a three-tiered hierarchical structure, a team of Duo Security researchers observed how the crypto-scam botnet worked to spread a fake 'cryptocurrency giveaway', and evolved over time to remain undetected.

Duo's principal R&D engineer Jordan Wright and data scientist Olabode Anise published their findings in a report titled 'Dont @ Me: Hunting Twitter Bots at Scale', ahead of a presentation at the 2018 Black Hat cybersecurity conference in Las Vegas tomorrow.

As part of the process, the researchers analysed more than 88 million Twitter accounts - one of the largest random Twitter datasets to date - between May and July 2018, and processed their APIs in a machine learning model to differentiate a human account from a bot.

The crypto-giveaway botnet, according to Duo, would first involve bots spoofing a legitimate cryptocurrency-associated account by stealing its display name and avatar. These accounts would subsequently spread fake links in replies to genuine users' tweets, and were also seen to take on the identity of a celebrity, or news organisation.

The team then learned many of them followed the same Twitter accounts, declared "hub accounts". They were unclear as to the exact contribution these accounts made to the botnet, but theorised they are "randomly chosen accounts which the bots follow in an effort to appear legitimate".

Amplification bots, fake accounts that exist purely to like tweets to artificially inflate their popularity and visibility, comprised the final tier of this structure and were deployed to raise the prominence of the tweets promoting the scam, as well as afford them legitimacy.

They mapped the relationship between the amplification bots, and the bots they support, to discover previously unknown accounts; in turn performing further analysis to unravel a sophisticated structure. In this process they established it was possible to follow a thread "that can result in the unraveling of the entire botnet".

"Users are likely to trust a tweet more or less depending on how many times it's been retweeted or liked. Those behind this particular botnet know this, and have designed it to exploit this very tendency," Duo's Anise said.

"Malicious bot detection and prevention is a cat-and-mouse game," Wright added. "We anticipate that enlisting the help of the research community will enable discovery of new and improving techniques for tracking bots. However, this is a more complex problem than many realize, and as our paper shows, there is still work to be done."

The tools and techniques the pair used to uncover the cryptocurrency scam botnet, which they are set to highlight at Black Hat, are being made publicly available via Github following their presentation.

Although botnets can be structured in different ways, the paper noted the structure and appearance of this particular one resembled the 'diet-spam botnet' discovered by Symantec in 2015 - with dedicated roles assigned to different clusters. Alternatively, botnets may exist in a 'flat' structure where each fake account exhibits the same behaviour.

"Twitter is aware of this form of manipulation and is proactively implementing a number of detections to prevent these types of accounts from engaging with others in a deceptive manner," a company spokesperson said.

"Spam and certain forms of automation are against Twitter's rules. In many cases, spammy content is hidden on Twitter on the basis of automated detections.

"When spammy content is hidden on Twitter from areas like search and conversations, that may not affect its availability via the API. This means certain types of spam may be visible via Twitter's API even if it is not visible on Twitter itself. Less than 5% of Twitter accounts are spam-related."

Writing in a blogpost, the principal researchers said they were pleased with Twitter's initial response to their findings, and the company's announcement that it would be challenging "more than 9.9 million potentially spammy or automated accounts per week". 

"We're excited to see these efforts by Twitter and are hopeful that these increased investments will be effective in combating spam and malicious content," the pair wrote.

"However, we don't consider the problem solved. The case study presented in this paper demonstrates that organized botnets are still active and can be discovered with relatively straightforward analysis."

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Security best practices for PostgreSQL

Securing data with PostgreSQL

Download now

Transform your MSP business into a money-making machine

Benefits and challenges of a recurring revenue model

Download now

The care and feeding of cloud

How to support cloud infrastructure post-migration

Watch now

Recommended

How to encrypt files and folders in Windows 10
encryption

How to encrypt files and folders in Windows 10

9 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Evidence suggests REvil behind Harris Federation ransomware attack
ransomware

Evidence suggests REvil behind Harris Federation ransomware attack

9 Apr 2021
Fujitsu taps Trend Micro to secure private 5G networks in smart factories
5G

Fujitsu taps Trend Micro to secure private 5G networks in smart factories

8 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Data belonging to 500 million LinkedIn users found for sale on hacker marketplace
hacking

Data belonging to 500 million LinkedIn users found for sale on hacker marketplace

8 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021