Thursday, March 14, 2013

Twitter Bots are Getting Stranger

I like to see what people are saying about Unglue.it, so I follow the "unglue" tweetstream. For many months, the false positives were really quite entertaining. In the words of normal human twitterers, the word "unglue" unearths all sorts of things people are stuck to and want to be unstuck. Lips, asses, couches, various electronic devices, and of course, Twitter itself. And combinations of two or more of these sticky things. Fun times!

The first bot butting in on my "unglue" stream belonged to some sort of travel agency social marketing bot named Leadify. Various destinations were being touted by this bot under by different users:
@SkyRunTelluride Can’t unglue the kids from the tv on vacations? Go camping in Telluride and leave technology behind.
@VisitGatlinburg Can’t unglue the kids from the tv on vacations? Go camping in Gatlinburg and leave technology behind.
@CrestedButteMt Can’t unglue the kids from the tv on vacations? Go camping in Crested Butte and leave technology behind.
@TimberlineVaca Can’t unglue the kids from the tv on vacations? Go camping in Breckenridge and leave technology behind.
@lodgingdeals Can’t unglue the kids from the tv on vacations? Go camping in Snowmass and leave technology behind.
@vailmountain Can’t unglue the kids from the tv on vacations? Go camping in Vail and leave technology behind.
You get the idea. At least it's clear what "service" this bot is providing.

But recently, a new bot has started getting in on the "unglue" action. What bugs me is I can't figure out why it does what it does:

@IsabellaMariah3 Unglue latent clubhouse derby: .cpP
@MervinSacco1 Unglue official pass250 607-109 audition check over guides: .BCO http://bit.ly/ZMz6fj
@MacDonaldBoswor Dancery unglue rounders online: .Fhi
@ClarenceWither1 Charley 95010 online until unglue straight a rich conjunction unripe forethink: .daw http://bit.ly/WckiGL
@GoldmanLarry1 Unglue fund online casinos: .pyT 525471
@IsaacShade1 Unglue swop 185-113 prelim niagara mopes: .AQb http://bit.ly/10OwHmW
@AllenHoffmann1 Unglue pos software - baksheesh in preference to forthright pos software, guides with acquit pos software: .hFg http://bit.ly/Xv9k0W
@BootmanRussel1 Betting parlor online unglue green stuff extant professional athlete bribe: .YnL 050623
@PassBobby Unglue liquid assets repudiation cash upon be unfaithful online poolroom: .mNG 263810
@GladysSavannah Current unglue contribute nonobservance stationing show biz: .Obd
@EricksonCarter Tavern unglue do tool motion hiatus: .wrm 894279
@JohnsonAllison2 Amusement park unglue participate: .Sby 584823
@BarnesIsabelle Flat reputable volume dvd unglue: .QfH 362486
@JustinCharlie1 261 sporting house unglue tropez aggrandize: .cln
@FrederickWilli4 The hard-and-fast fender in relation with unglue online auction: .RqZ http://bit.ly/Xr2Tw3
@AlanLindley2 How head an neutral advisor grant-in-aid myself pick the uppermost glamour issue unglue racket: .mcY http://bit.ly/W8lrz9
@PaigeCarol1 Thereupon the album's unglue, the belt stirred drummer chouse health resort but salaried nicholas dingley, go ... 121898
@PaigeSandra1 Theater bootlegging unglue surface structure: .nxz 968560
@MiloVelasquez1 332 gambling hall unglue online volutation: .otR
@PeregrinBoles Unglue downloadlot-054exam chamber music guides: .qxf http://bit.ly/10KfJGp
@LeapmanRebecca Entertainment industry unglue contract bridge toad: .iyG 836459
@MakaylaCooper15 Cafe chantant coupon unglue gamut: .eqG 184945
What could possibly be the purpose of these tweets?

My first thought was this is some SEO scam. About 1/3 of the tweets have a bit.ly link to the http://promotion-web.tk/ or related websites; these pages contain more nonsense text under the title "First-class portal". (The "dot .tk" top level domain is a free domain registry based in Amsterdam) But that doesn't make much sense. Why would nonsense tweets point at nonsense websites? And why would most of the tweets come without links?

And if it's an SEO scam, why add things like ".nxz 968560"? Who's going to click on a tweet like that? Even search engines aren't that dumb.

My next thought was that these accounts are those "followers" that social marketing bozos buy for their twitter feeds. But no, many of these these accounts aren't following more than two or three other accounts, though they may have 250 or so of their fellow robots following them, along with a surprising number of apparently human social media consultants.

It's puzzling, and I don't take kindly to unsolved puzzles. This army of zombie twitter accounts must be assembling for some sort of mischief.

So here's my best guess. I think these twitter bots are hiding information in plain view. Suppose you were a terrorist organization or a criminal network, and you needed to publish communications to large numbers of people world wide. What better way to do this than to publish encrypted information on twitter. Or even better, put the encrypted information on a network of websites, and use a distributed network of twitter accounts to distribute the decryption keys? Or maybe this is where Wikileaks is storing its secret files.

The data publishing rate appears to be about 100 tweets per minute, or about 230 bytes/sec. That's 20 MBytes per day. Maybe the three letter codes are the intended recipients, and the 6 digit numbers are constantly changing keys (like RSA's SecurID) for files posted on 2-factor secured websites.

Or maybe its just garbage ungluing latent clubhouse derby.

Notes:
1. Just to be clear, it's not just the word "unglue" that zombie bot is attacking.
2. I can't wait to get head-desked by a simple explanation in the comments.
3. So you don't have to try one of those bitly links yourself, heres a sample of text from one of the garbage websites:
Oneabe is a free online bidding site offering best auctions and known as beat penny auction site , here we conduct Free Online Auction and oneabe is one of the best Online Auction Sites. We also offer free international auction. Presently we are bidding on thunder-Quadband Dual SIM Wifi Touchscreen World and on superb LCD Home theatre media projector and so on. We do our auctions category wise. As here you would see a plethora of options and catalogs within which you can choose whatever is of your choice and need and participate in bidding as well as can buy them. We offer categories like Antiques and art, automobile & bikes, survival kits, businesses for sale, clothing and accessories, coins and collectibles and much more. We are known as a penny auction site worldwide.Under the category of antique and art we offer 20th century antiques ranging from 1920’s till modern , architectural antiques like garden antiques and others, under the wing of Art we offer contemporary art, drawings, paintings, general, photographic images, prints as well as sculptures. We also sell books and manuscripts those are rare and precious. We offer a plethora of ceramic goods and also clocks, decorative items to decorate your home and your office. Our folk art is very unique and our foreign arts are all master pieces. We also do bidding on furniture, map or atlas as well as on metal ware such as brass, copper, bronze, gold, silver, and silver plated goods also we sell music instruments. We also offer here to our customers a very good quality of textiles and linens that includes fabric, embroidery, linens and quilts and much more. Under the gaming option we offer...
4. (update) More theories being discussed on Hacker News https://news.ycombinator.com/item?id=5373161 
Enhanced by Zemanta

12 comments:

  1. I thought the whole point of SEO scams were to lead people to websites, no matter how stupid the content. As long as the content ticker ticks, a few cents in their pockets from Google. Site parks have been crushed through normal Google, so it's only natural for them to try out Twitter and other similar channels as well. In fact, I fear you've made them a few cents simply by clicking.

    But I *love* your theory! Man, I wish it is true!

    ReplyDelete
    Replies
    1. So you think it's spam content aimed at twitter search. If that were the case, wouldn't the target pages have more stuff to click on?

      Delete
  2. I believe that this is rather a botnet control using Twitter... has happened often before, because it's easier to create a twitter account than buying a server or a domain name (also, they're creatable for virtually no cost, opposed to server/ip/domain names, which cost money and can be traced)

    ReplyDelete
    Replies
    1. That's along the lines I was thinking, but would you build a botnet control system on accounts made to be easy to identify all at once? Large numbers of profiles link to the same URL.

      Delete
    2. The links may just be a distraction, or the junkwords on the target sites are something like "arguments" or encoded extra data for the bots.

      As long as the sites have not been taken down, there's no need for the botnet master to reveal other content-hosting sites. And Twitter doesn't do heuristic spam detection on tweets, I think.

      Delete
    3. Another possibility is that this a phone-home mechanism for spy-bots.

      Delete
  3. It's called "tongues".

    http://www.biblegateway.com/passage/?search=1+Corinthians+14&version=NIV

    ReplyDelete
  4. :3 So sweet of you! How did i deserve this :') I didn't know, you can buy a Twitter Account! :O hm...I wouldn't do that, cos these followers, i think some of them are not fake, would be very confus, when I start using this account then.
    Thanks admin and buy twitter followers

    ReplyDelete
    Replies
    1. So glad you have a sense of humor, jenifer in Dhaka, Bangladesh (58.97.232.94 )!

      Delete
  5. Wow, this is a whole different type of Twitter spam I've never seen before. I'm doing a study on the topic and really appreciate your thoughts on this. Previously I was just aware of the old standby types of Twitter spam (http://www.ranker.com/list/types-of-twitter-spam/kel-varnsen has a good list I've been looking at lately) but it would only make sense that new and yucky types would pop up here and there.

    It's scary, but completely makes sense, to think that terrorists would be using Twitter to communicate. It's almost hiding in plain sight. I wouldn't completely rule out some bad, bad SEO though either. If someone is searching for something on Twitter, a not so smart person just might be dumb enough to click those links.

    Anyway, thanks for opening my eyes to this behavior!

    ReplyDelete
  6. I thought of another possibility. Maybe it's some sort of puzzle or treasure hunt, akin to the puzzles devised for the MIT Mystery Hunt.

    ReplyDelete
  7. These twitter bots have evolved significantly. Here's what they look like now:

    Unglue patent note attraction gratuity: PQlvwsUrZ

    Discover an iphone brain twister would one and only indigence entranceway lodge into unglue my derogatory iphone 3gs: kGLnVYoZJe

    Rebuying being as how honeymoon dresses crunch unglue: cjeoTFA

    Dont be worthwhile farther: yes a another time iphone subordinary unglue yours iphone: bATRYTgA

    I know believe these are part of cooperative traffic generation scams. I think that the encoded words, i.e. 'bATRYTgA' are references to link shorteners. More in a new post.

    ReplyDelete