Huge spam operation on Twitter uncovered

What does it take to execute a successful spam operation peddling diet pills of questionable effectiveness? For one spammer, it took some 750,000 fake Twitter accounts.

Symantec researchers first spotted the campaign – peddling Green Coffee Bean Extract, a supposedly miraculous diet supplement – in July 2014. Later they discovered that the same spammer has been using this approach since the beginning of the year.

With small variations, the tweets looked similar to this one:

Of the 750,000 Twitter accounts, less than 100 were fake accounts impersonating news organizations like CNN and ABC, entertainment-focused outlets like TMZ, MTV News, and E! Online, and popular reality TV stars. These were the “mockingbird” accounts that would first post the above message.

Nearly 40,000 of the accounts were so-called “parrots,” who would retweet and favorite those initial messages. Finally, over 700,000 accounts were “egg” accounts: impersonating new users, who never tweet, but are used to inflate follower counts of Parrot accounts.

This is how the spam operation worked (click on the screenshot to enlarge it):


When a Parrot or a Mockingbird account were spotted by Twitter and suspended, the spammer would simply convert Parrot accounts to Mockingbirds, and Eggs to Parrots.

Symantec has been following the operation and sharing their findings with Twitter, Bitly, Google, and GoDaddy, in order to take down the accounts, shortened URLs and domains that were used in the campaign.

“Despite the use of Mockingbird, Parrot, and Egg accounts, as well as interesting tactics to preserve and recover accounts, the author failed to cover his tracks in certain areas,” noted Symantec’s Satnam Narang.

“Each of the domains was registered without private registration, revealing this individual’s real name and address. The Bitly accounts used for creating short URLs were associated with this individual’s Twitter and Facebook accounts. Lastly, he converted one of his Parrot accounts into a personal account, where he instructed his Parrot accounts to retweet and favorite some of his own tweets. We were able to link this spam operation to a single individual by combining these missteps.”

Unfortunately, there are bound to be others, as the market for these things is huge, and spammers and scammers are looking to take advantage of this.

What can you, as a regular user, do about it? Well, be careful who you follow on Twitter: a big number of followers is no guarantee that the account is legitimate and actually belongs to the celebrity or news outlet you want to hear about – look for the blue verified badge that shows that Twitter has verified the authenticity of an account. Also, don’t automatically follow accounts that follow you – it will prevent spammy messages from showing regularly on your Twitter feed.




Share this