Researchers at digital security firm Duo Security claim to have uncovered, “a sophisticated cryptocurrency scam botnet consisting of at least 15,000 bots,” broadcasting cryptocurrency giveaway and other scams on Twitter.
The company made the claim in a paper released yesterday, two days ahead of a presentation they will give on tomorrow at the Black Hat USA digital security conference being held this week in Las Vegas.
Automated Twitter cryptocurrency scam “bots” typically impersonate well-known crypto personalities, celebrities, and crypto exchanges, promising to give large amounts of ether and other crypto away in exchange for small initial sums sent by victims.
Bots typically wait until the targeted personality tweets something and then spam a litany of fake crypto giveaway offers into the comments that follow the tweet. The impersonations give the scam an air of legitimacy.
The problem has become so pervasive on Twitter that even Tesla’s Elon Musk recently tweeted about the phenomenon:
I want to know who is running the Etherium scambots! Mad skillz …
— Elon Musk (@elonmusk) July 8, 2018
Duo Security Principal R&D Engineer Jordan Wright and Data Scientist Olabode Anise say they unearthed the extensive crypto-scam botnet by analyzing data from 88 million Twitter accounts.
The researchers say they were able to distinguish automated accounts from “genuine” human accounts by using machine learning to tally, “the time between tweets, distinct tweet sources and the average number of hours per day an account is active.” Scam bots typically tweet rapidly, “in short bursts,” said Anise.
Wright and Anise also mapped, “the cryptocurrency scam botnet’s three-tiered, hierarchical structure, consisting of scam publishing bots, “hub” accounts that other bots often followed and amplification bots that like tweets in order to artificially inflate the tweet’s popularity…”
Automated “likes” enhance the perceived social legitimacy of a crypto giveaway offer:
“Users are likely to trust a tweet more or less depending on how many times it’s been retweeted or liked. Those behind this particular botnet know this, and have designed it to exploit this very tendency.”
The researchers stated they had, “actively observed Twitter suspending cryptocurrency scam bots…(and) quickly identifying verified accounts that had been hijacked, returning them to their rightful owners.”
Nevertheless, said Duo, “portions of the studied cryptocurrency botnet remain active.”
The Duo press release that corresponded with the paper contained a response from Twitter regarding Duo’s findings.
In the response, Twitter claimed that the data unearthed by the researchers on the Twitter API (application programming interface) does not the reflect the amount of spam that actually makes it onto the platform. Most scam content, they said, stays below the surface:
“In many cases, spammy content is hidden on Twitter on the basis of automated detections. When spammy content is hidden on Twitter from areas like search and conversations, that may not affect its availability via the API. This means certain types of spam may be visible via Twitter’s API even if it is not visible on Twitter itself. Less than 5% of Twitter accounts are spam-related.”
An educational video by MuleSoft likens an API to a waiter at a restaurant taking orders and delivering food from a kitchen.
In other words, says Twitter, if a Twitter user searches (or “orders”) info on a certain cryptocurrency or crypto personality, the API will filter and deliver largely legitimate content.