Discover and read the best of Twitter Threads about #SundaySpam

Most recents (18)

Trump is out of office and off of Twitter, but the MAGA follow trains continue to chug along. We took a look at #MAGA train activity subsequent to Twitter's January 8th 2021 QAnon crackdown. #SundaySpam

cc: @ZellaQuixote
By starting with a few MAGA follow trains and recursively exploring the accounts that retweeted them in search of additional trains, we found 7523 trains posted between Jan 9 and Feb 20, 2021, listing 10310 accounts. 7757 are still online, mostly accounts created in 2020 or 2021.
A significant minority of these trains (1145 of 7523, 15.2%) contain the hashtag #BolsoTrump2021, often alongside images promoting both Trump and Brazilian President Jair Bolsonaro. 16 of 58 "conductors" (accounts that post trains) we looked at used the #BolsoTrump2021 hashtag.
Read 6 tweets
Meet @TammyRu55487107, @AshleyG05060977, @MollyBa23420160, who (along with hundreds of their friends) all joined Twitter in late December 2020, and have all retweeted the same @sputnikvaccine tweet and nothing else. #SundaySpam

cc: @ZellaQuixote Image
These three accounts are part of a group of 634 batch-created followers of @sputnikvaccine, all of which were made on December 21st or December 22nd, 2020, and all of which have default profile pics and follow no other accounts. ImageImageImageImage
601 of these 634 accounts have tweeted, each of them exactly once. All of their tweets are retweets of the same @sputnikvaccine tweet, all (allegedly) posted via the Twitter Web App. 593 of them also liked the @sputnikvaccine tweet, and none has thus far liked another tweet. Image
Read 4 tweets
It's a day that ends in "Y", and a posse of pornbots is prolifically posting tweets advertising a group of websites, with the novel twist that the websites are included in images rather than linked directly from their tweets. #SundaySpam

cc: @ZellaQuixote
These bots were created in batches, and their image tweets contain hashtags and were (allegedly) sent via the Twitter Web App. We found 2147 batch-created accounts that fit this pattern, but how do we eliminate the ones without website names emblazoned on their image tweets?
Answer: we used OCR (optical character recognition), specifically the pytessaract library. It couldn't make much sense of the raw images, which use gray text on colored backgrounds, but tweaking the brightness/contrast on grayscale negatives resulted in machine-readable text.
Read 6 tweets
What's with all these similarly-named accounts retweeting this @globaltimesnews tweet? #SundaySpam

cc: @ZellaQuixote
Answer: a few recent @globaltimesnews tweets have been amplified by two distinct groups of bots. (It's possible that they are part of the same network, but we can't prove this, so we treated them as two separate botnets for the sake of this analysis.) #ATaleOfTwoBotnets
The smaller of the two botnets consists of 76 accounts created in October and November 2020, all (allegedly) tweeting via the Twitter Android App. In an apparent lapse of creativity on the part of the botnet operators, 36 of the accounts are named either "Barb" or "Barbara".
Read 9 tweets
In an interesting coincidence, this tweet linking what appears to be an unauthorized livestream of a sporting event was retweeted by a bunch of similarly-named accounts created in May 2013. #SundaySpam

cc: @ZellaQuixote
These accounts are part of a botnet promoting what we believe to be pirated livestreams of a variety of sporting events. (Among other things, many of the accounts have had tweets removed for copyright violations.
This botnet consists of two types of accounts: 206 accounts that link the pirated streams in their tweets, and 16 accounts that retweet them.
Read 9 tweets
One of the accounts that this reply spam botnet we recently documented replied to (@oliverzok) began its Twitter life with an infusion of over 1000 batch-created bogus followers. We decided to explore the rest of the network. #SundaySpam

cc: @ZellaQuixote
To find the rest of the network, we downloaded the followers of other accounts followed by the batch-created followers of @oliverzok, and repeated the process for the accounts they follow, and so on.
We found 1835 accounts that we believe to be part of this fake engagement network. All were created between January and March 2017, have been dormant since late 2017, and tweeted exclusively via the Twitter Android app back when they were active. All their tweets are retweets.
Read 6 tweets
What's up with all these automated melodramatic news tweets mentioning "heatmaps" and linking to futuredanger(dot)com? #SundaySpam

cc: @ZellaQuixote
We downloaded recent tweets linking to futuredanger(dot)com and found a network of 16 automated accounts dedicated to promoting the site. Each account tweets via its own custom app, accompanied by occasional organic tweets from @FutureDanger6.
The @FutureDanger6 account appears to be the hub of the network, and is mutual followers with the other 15 accounts (none of which follow any account other than @FutureDanger6).
Read 7 tweets
It's a Sunday in July, and a Chinese-language porn/adult services botnet is apparently recruiting models and encouraging folks to visit pinkmote(dot)com, a rather NSFW website hosted in China. (As always, don't click the link.) #SundaySpam

cc: @ZellaQuixote ImageImageImage
We found a total of 166 accounts that we believe are part of this pornbot network. These accounts promote an NSFW website, pinkmote(dot)com. With the exception of the newest 12 accounts (made July 13/14 2020), these accounts do not appear to have been created in batches. ImageImageImageImage
All of this network's 2020 content is in Chinese, promotes pinkmote(dot)com, and is allegedly sent via "Twitter Web Client", the old version of the Twitter website. Older tweets are in various languages and sent via various apps, suggesting the accounts were hacked/repurposed. ImageImageImage
Read 4 tweets
If you woke up this morning hoping that someone out there had created an #ArrestBillGates retweet bot, your dreams have come true in the form of @kuusevana. #SundaySpam

cc: @ZellaQuixote
Almost all of @kuusevana's recent tweets (2970 of 2975, 99.8%) are retweets of #ArrestBillGates tweets. These retweets are sent via a custom app called "kickstarter_engagement_mku" and the bot retweets round-the-clock, provided that new #ArrestBillGates tweets are available. Image
What other hashtags occur alongside #ArrestBillGates in tweets retweeted by @kuusevana? #ExposeBillGates, #ArrestFauci, #Plandemic, #Obamagate, and #WWWG1WGA are the most popular, with various other QAnon and anti-Soros hashtags also turning up. Image
Read 7 tweets
Oh look, more pornbots, tweeting in Korean this time. Despite the reassuring presence of four heart emoji in each tweet, we don't recommend clicking their obfuscated links. #SundaySpam

cc: @ZellaQuixote
We found a total of 1342 accounts that appear to be part of this botnet. Most were created in April or May 2020, although a few are older. None have liked more than 2 tweets, and all theoretically tweet via the old version of the Twitter website ("Twitter Web Client.")
The links in these pornbots' tweets are redirected via the tinyurl(dot)com link shortening service, followed by several other redirectors before arriving at newkitchen(dot)co(dot)kr, a Korean website than unsurprisingly seems more focused on nudity than actual kitchens.
Read 6 tweets
Oh look, more pornbots. In Japanese this time, even. #SundaySpam

(yes, this is the second pornbot thread we've posted today)

cc: @ZellaQuixote
We found a network of 257 Japanese-language pornbots, all created in 2020 and all automated via IFTTT. Additionally, all of the accounts have seven-character names consisting of random numbers and lowercase letters, and none have ever liked a tweet.
The accounts in this botnet were created in batches, and as batches have been added, the network's output has grown, presently ranging between 100 and 120 tweets per hour. The botnet is active 24/7.
Read 7 tweets
Oh look, more pornbots - or are they? #SundaySpam

cc: @ZellaQuixote
We found what appears to be a network of 51 Arabic-language pornbots. All were created over the span of less than three hours on April 9th, 2020, and all tweet via IFTTT. Each bot pushes a specific website.
The websites linked by the pornbots appear to be blogspot blogs with random 5 character names. We decided to check them out via Tor (as always, DO NOT click links to dodgy sites without taking precautions to avoid tracking/malware.)
Read 6 tweets
It's a great day to explore bots that attempt to game retweet-to-win contests! (and possibly ensnare them into retweeting portions of this thread. . .) #SundayShenanigans #SundaySpam

cc: @ZellaQuixote
We began by downloading 24 hours' worth of retweets containing the word "win". Although most of the traffic is organic, there does appear to be quite the variety of automation apps in play.
We then downloaded recent tweets from each account that used an automation app to retweet a tweet containing "win", and kept accounts matching these criteria:

• at least 50% of tweets are automated
• at least 90% of automated retweets contain "win", "giveaway", or "contest"
Read 9 tweets
It's a Sunday, which is as good a time as any to see if RT editor-in-chief @M_Simonyan has any dormant botnets following her. (Survey says yes.) #SundaySpam

cc: @ZellaQuixote
The streaks in this figure consist of accounts that were created in batches and followed @M_Simonyan in quick succession. They have other traits in common that we can use to filter out false positives:

• 0 likes
• 3 digit number of accounts followed
• Russian display names.
We downloaded the batch-created accounts following @M_Simonyan and found two additional identifying characteristics:

• all tweets sent via "Twitter Web Client"
• duplicate tweets

After filtering out false positives, we were left with 2287 accounts. Is this the entire botnet?
Read 8 tweets
If you're looking for #coronavirus profiteers that will also load up your account with useless followers, this is the botnet for you. #SundaySpam #coronagrift

cc: @ZellaQuixote
This network consists of three mixed English/Japanese accounts (@MoreOker, @MoreThanBetter4, and @MostOkest) with various #Followback hashtags on their profiles. They tweet 24/7 via "Botbird Tweets", with (possibly) organic tweets via Twitter Web App thrown in.
The bulk of this network's tweets occurred during one of two spikes in activity. The first was a barrage of #followback tweets sent around the new year via Twitter Web App, and the second (late Feb-March) is round-the-clock automated tweets hawking face masks and hand sanitizer.
Read 6 tweets
Are you pining away your weekend wishing you had more Crypto Experts and Forex Queens in your life? This botnet might be right up your alley. #SundaySpam

cc: @ZellaQuixote
We found a network of 58 accounts with names consisting of "cryptoexp" or "fxqueen" followed by a series of numbers. This network began life using its own custom automation software (cryptwizard), which it replaced with Twuffer and Twittimer following a hiatus in late 2019.
What does this botnet do? Its mission appears to be to link Telegram channels related to cryptocurrency and forex trading; thus far 9852 of 10020 tweets (98.3%) link one of two channels, generally accompanied by hashtag spam.
Read 7 tweets
Oh look, more pornbots. This network hypothetically tweets via Mobile Web (M2) (an older version of the Twitter website for mobile phones) and uses link redirection service rebrand(dot)ly to shorten/disguise its links. #SundaySpam

cc: @ZellaQuixote
@ZellaQuixote We found a total of 91 accounts tweeting shortened porn links via Mobile Web (M2). The entire group activated shortly after midnight PST on 2/9, and all were created in the 2 hours immediately prior. The botnet has generated an average of 69 tweets per minute since coming online.
@ZellaQuixote So far, every single tweet posted by these 91 accounts contains a rebrand(dot)ly short link that redirects to the actual porn site being peddled, zavmosse(dot)pw. As always, be wary of clicking links from dodgy botnets.
Read 17 tweets
We reached into the IFTTT cookie jar in search of botnets, and did not return empty handed. To start out, we grabbed the most recent 100K tweets without links sent via IFTTT. #SundaySpam

Search used:

source:IFTTT -filter:links exclude:retweets

cc: @ZellaQuixote
@ZellaQuixote Next, we looked at the creation dates of the 17479 accounts that sent the tweets in question. We analyzed the three largest spikes in new account creations:

1) April 26th - 27th 2017
2) September 9th - 21st 2017
3) January 23rd - 28th 2019
@ZellaQuixote The first spike (April 2017) is a network of 52 Korean-language IFTTT bots. All 52 operate on identical scheduls and have names consisting of 4 digits, followed by 4 letters, followed by 4 digits, followed by 2 letters, and finally followed by a "1". 50 of 52 have female avatars.
Read 9 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!