Skip to content
Naked Security Naked Security

Twitter struggles to deal with the sock-puppet and bot armies

The latest twist sees the bot armies busily retweeting legitimate accounts in an attempt to get them banned for abuse - and it's working. So why can't Twitter do better?

Twitter botnets used for political propaganda might have hit on an ingenious new way to cause mischief – bombard accounts they dislike with fake followers and retweets in an attempt to get them suspended by the site’s anti-abuse systems.

Normally, such botnets – made up of thousands of automated “sock puppet” accounts controlled from a single point – are used to spam fake news stories or bombard target Twitter accounts with large numbers of hostile tweets.

In recent weeks, however, journalists and non-profit organisations have been affected by a new twist on an old tactic which one of those affected, cybersecurity writer Brian Krebs, describes as a “tweet and follower storm”.

The trigger provoking botnet attention in this case has been writing about Russian and US politics, as news site ProPublica discovered when it gave coverage to an analysis by Digital Forensic Research Lab (DFRLab) on alleged attempts by Russian propaganda to stir up political tensions in the US.

The response of pro-Russian bots was to retweet a Twitter condemnation of the story up to 23,000 times, ostensibly an attempt to blot out its post with the Twitter equivalent of white noise.

At the same time, DFRLab staff reported receiving intimidating tweets which, again, were amplified hugely by botnets, including on August 28 the bogus claim that one of its staff, Ben Nimmo, had died.

A journalist who covered this story, Joseph Cox of The Daily Beast, reported this week that it was retweeted 1,300 times by bots while he attracted 300 new, mostly Russian-language followers within a short period of time.

Then Cox’s account was suspended by Twitter with the following message:

Caution: This account is temporarily restricted. You’re seeing this warning because there has been some unusual activity from this account.

Presumably, Twitter had detected the suspicious retweets but incorrectly associated his account with them.

Two days later and journalist Brian Krebs avoided the same fate after he commented on the bot phenomenon and was overnight rewarded with 12,000 new followers and as many retweets. Commenting on the reasons behind Cox’s suspension, he said this:

Let that sink in for a moment: A huge collection of botted accounts — the vast majority of which should be easily detectable as such — may be able to abuse Twitter’s anti-abuse tools to temporarily shutter the accounts of real people suspected of being bots!

Twitter reinstated Cox’s account after a few hours, but one conclusion is, whether by design or accident, bots have hit on a new way to annoy Twitter users they take against.

According to Krebs, the 12,000 bot account unfollowed him but remain active on the service despite their suspicious behaviour.

On one level, this is not surprising – bots (in other words, automated accounts) are allowed under Twitter’s terms and conditions and have numerous legitimate uses. What isn’t allowed are fake accounts, which Twitter has been battling for years.

When fake accounts are corralled into bots, trouble follows, with some of the biggest networks reaching hundreds of thousands of accounts. Some of them even have names, for example the 90,000-strong “Siren” bot used to lure people to porn websites.

The larger question is why, after years or claimed improvements in its security protocols, Twitter still seems unable to spot accounts that look dubious and which breach its terms and conditions.

All the big social media platforms have a problem with fake accounts used for nefarious purposes but only on Twitter do malicious bots seem able to pull off what amounts to a denial-of-service attack on individual users.

Is there a defence? After being targeted, DFRLab could find only one that was capable of deterring the bot horde – copy @Twittersupport and @Twitter on any complaint.


5 Comments

I don’t understand why nations can’t require their ISPs to simply block bots as they are discovered. If any system is a bot, then it shouldn’t be allowed access to the Internet until it is cleaned. An ISP, when presented with a proper court order, could prevent the owned hardware from accessing any network, with the exception of legitimate anti-malware company sites. Allow access to a single page with links to all known legitimate anti-malware sites.
I feel for people who don’t realize their system is owned, but it seems to me there should be some accountability required by hardware owners. Corporations who send too much spam are routinely email-blacklisted, and have to negotiate to get there access back. Why not individuals?
For traffic coming in internationally, it gets a lot harder to pin down specific bots. So, block all ISPs not complying until they get their act together.

Two reasons:

1. Blocking botnets directly means blocking the IPs they are built from, which means blocking legitimate networks. It has been tried by at least one large telco and was controversial for that reason. That’s why bot counter-measures aim for the command and control.
2. The bots mentioned here – on Twitter – are not necessarily illegal according to the service’s terms and conditions.

Why is it tied to whole IP ranges? ISPs could (if forced to) assign exactly one IP address to each entry point into the private network(s). And, when affected, that IP address can be static-routed to one page, that only allows through traffic back and forth from anti-malware organizations. I’ve actually implemented this at one company, and it worked moderately well. People didn’t complain so much once you explained that the FBI might be interested in that traffic, if it’s not fixed.
Businesses would need to be a special case.
But, using the Internet is a privilege, not a right (IMO). One burns that privilege when one does not operate at least marginally securely.
Further, it seems very likely that businesses would warm to this idea really quickly when they realize their going to be told that they have an infected system moments after it is first used as a bot. As long as they’re given a reasonable amount of time to find and clean affected devices (before they are cut off), they should be OK. After all, what business wants to have their internal property used for illegal purposes?
Individuals are the real targets of my idea, though. And, especially IoT devices, phones, and unprotected or lightly-protected network owners.
Any such law would need to be both carefully-crafted and updated regularly (i.e. one main law and a government organization tasked with keeping the technology current).
But, if done correctly, I think it could work. Well, until botting technology changes, anyhow.

You are very correct on point # 2. But, this idea has been burning in my head for a while, and this seemed like the right place to ask the question.

Very late reply but,

In many areas the ISPs assign dynamic IPs, especially for home users.
In these circumstances blocking an IP only means that the poor soul who gets assigned that IP later on will have these restrictions applied to them, and assigning everyone a IPV4 address isn’t possible, simply because there’s just not enough available. Add to this the potential for a bot mis-diagnosis rendering a regular account/IP blocked incorrectly.

Additionally, holding users responsible because their system got ‘owned’ isn’t particularly fair. Not everyone can understand inner workings of the technologies they’re using and they trust their AV (and other tools) to protect them. If an exploit finds it’s way around any protection who is to blame? Certainly not the end user who has done all they can reasonably expected to do to protect themselves.

No, the responsibility for blocking bots simply has to lay with the particular social network being affected. If that social network can’t solve the problem and it’s degrading the experience for the end users, look for a different social platform.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?