How a prolific spammer built a 750,000-strong Twitter army to promote his scam
It can be extremely difficult to work out who's actually behind them - but it's not impossible. Satnam Narang, a researcher for security company Symantec has investigated a network of incredibly prolific spam accounts, discovering that almost 750,000 of them were all being operated by a single person.
The accounts in question were promoting "green coffee been extract" - a get-rich quick diet pill (which, obviously, doesn't work). The American market for diet pills is $2 billion a year, so it's easy to see why the spam operator was interested - they "would earn a commission for each successful referral," Narang explains.
The operation utilised three distinct types of spam account:
- Eggs - These were new accounts, with the default "egg" profile picture. Their purpose is primarily to bolster follow numbers of other spam accounts, and made up the majority of the accounts investigated.
- Parrots - Impersonations of "normal" people. They will automatically copy profile pictures and tweets from genuine users to make their accounts look active and engage with the third type of account...
- Mockingbirds - The Mockingbirds are the accounts that disseminate the links to the spam content. They will impersonate celebrities and reputable news outlets like CNN, ABC, TMZ and MTV, and send out links to the bogus diet pills. The parrots will then respond to these tweets positively - making it look like the account is trustworthy.
Here's a screengrab of parrots replying to a Mockingbird's tweet:
And here's a diagram from Symantec demonstrating how it works:
The Mockingbirds and Parrots will inevitably be flagged up by Twitter's systems and deleted sooner or later. But the operation responds to this by simply "promoting" an egg to a higher rung, and changing how it behaves. And because the egg accounts do very little, they're very rarely found and banned by Twitter. Narang found 700,000 eggs, along with some 40,000 parrots, and less than 100 mockingbirds. Factoring in now-suspended accounts, he predicts that "the spam operator has controlled at least one million Twitter accounts over time."
While the operation has now been reported to Twitter, it's been going on for a long time: The majority of accounts were created around a year ago, but some date back as early as the start of 2012.
So who's behind it? The researcher was able to track down the entire investigation down to a single person, based on "clues" left when registering websites and because the culprit occasionally engaged with his personal account using spam accounts. He hasn't been named (we've reached out to Symantec for more details) - but it shows just how a one dedicated man can construct a vast spam empire.