Discover and read the best of Twitter Threads about #SundaySpam
Most recents (24)
What's up with these tweets that got hundreds of retweets and no likes whatsoever? #SundaySpam
cc: @ZellaQuixote
cc: @ZellaQuixote
Answer: the tweets in question were amplified by a spam network consisting of (at least) 3586 accounts created between October 2013 and December 2022. The accounts have Turkish display names that rarely match their @-handles.
All of this network's recent tweets are retweets, and all of these retweets were tweeted via Twitter for Android. (Some accounts have older tweets sent with other apps; as we'll see, these accounts were likely hijacked and the old tweets are probably from the original owners.)
The #metaverse isn't here yet, but the crypto spam accounts mentioning it in identical tweets sure are. #SundaySpam
cc: @ZellaQuixote
cc: @ZellaQuixote
The spammy #metaverse tweets are from a network consisting of (at least) 741 accounts with handles and display names consisting of lowercase letters and random numbers, created in batches from August to November 2021.
These accounts amplify a variety of large cryptocurrency/blockchain accounts via a combination of quote tweets, replies, and retweets. The quote tweets and replies are frequently duplicated verbatim by dozens of accounts in the network.
The repetitive biographies that frequently mention beavers may be silly, but the fact that you can pay to have thousands of these accounts retweet, reply to, or follow you is even sillier. #SundaySpam #BeaverAstroturf
cc: @ZellaQuixote
cc: @ZellaQuixote
These accounts are part of an astroturf network consisting of (at least) 11599 accounts created (mostly) in 2021. Each account has a two word biography composed of a capitalized adjective followed by a lowercase noun, drawn from a pool of 36 adjectives and 36 nouns.
The accounts in this network follow a variety of accounts, with cryptocurrency as a recurring theme. The account followed by the largest swath of the network is @PRm4u_official, the "official" account of prm4u(dot)com, a website selling SMM ("social media management") services.
If you woke up this morning hoping that somewhere in the world there was a Twitter botnet advertising multiplayer games by replying to tweets (many of them several years old) that have nothing to do with video games, this spam network's for you. #SundaySpam
cc: @ZellaQuixote
cc: @ZellaQuixote
This network consists of 45 accounts created between February and June 2020. Almost all of their content (23574 of 24125 tweets, 97.7%) is repetitive replies promoting video games, most of which link to gameexp(dot)com.
At least 23 (probably 25) of the accounts in this network use GAN-generated profile pics. (GAN = "generative adversarial network", the AI technique behind the fake faces produced by thispersondoesnotexist.com etc.) Many have had their colors edited, and 10 have been resized/cropped.
What's up with all these recently created accounts with identical biographies and a fondness for using UNNECESSARY CAPITAL LETTERS in their display names? #SundaySpam
cc: @ZellaQuixote
cc: @ZellaQuixote
Answer: they're part of a botnet, consisting of (at least) 568 accounts, all but three of which were created between October 2020 and April 2021. All have identical biographies and links to a telegram channel called "TRADING NATION" on their profiles.
All of this network's recent tweets were (allegedly) sent via the Twitter Web App. The three accounts that have older tweets have periods where they used IFTTT and Twitter Web Client (the old version of the Twitter website) as well.
It's a great day to look at an incredibly repetitive pornbot network that tags its tweets with random numbers. #SundaySpam
cc: @ZellaQuixote
cc: @ZellaQuixote
This botnet consists of 99 accounts created between 2010 and 2015 (mostly 2013). All have some variant of "p o r n" as their display name, and all were mostly dormant until mid-April 2021.
This pornbot network tweets prolifically via TweetDeck (223566 tweets from 99 accounts over the span of just two weeks). The majority of the accounts tweet round-the-clock, with some ceasing operation after a few hours or days of activity.
Meet @coshdisme10853 (and its thirty thousand automated siblings). Back in 2015 and 2016, this account was tweeting in Spanish, but it went to sleep for a few years and recently woke up and started retweeting English cryptocurrency tweets. #SundaySpam
cc: @ZellaQuixote
cc: @ZellaQuixote
The @coshdisme10853 account is part of a botnet consisting of 31014 accounts created back in May 2014. Accounts were created in batches and followed the big accounts they follow en masse. (Each bot follows 20-30 or so of the other bots in the network).
Who does this botnet follow? Primarily Spanish-language accounts (mostly Mexican public figures and brand accounts), with @Chertorivski, @MaruchanRamenMx and @MaruchanMx at the top of the list. (We believe that this is the first botnet we've found following a ramen company.)
It's either the second day of spring or fall (depending on where you are), so here's a look at a botnet following the official Twitter account of right wing think tank @Heritage Foundation. #SundaySpam
cc: @ZellaQuixote
cc: @ZellaQuixote
This botnet consists of 28971 accounts, created Nov 2013 - Jan 2014. All their tweets were sent via "Twitter Web Client", and none has tweeted since 2014. None has liked a tweet, and all have the same display name as @-name (including lack of space between first and last name).
Who does this botnet follow? The majority of the beneficiaries of its bogus follows are the official accounts of businesses (including some fairly large companies such as @Citibank and @WhiteCastle). The @Heritage Foundation (followed by 2845 of the bots) is a notable outlier.
Daylight savings time has begun (in the USA, at least), and what better way to mark the occasion than by looking at a quote tweet astroturf botnet? #SundaySpam
cc: @ZellaQuixote
cc: @ZellaQuixote
This network consists of 4399 accounts, created between January 23rd and January 25th 2021. The 4399 bots all follow the same 13 cryptocurrency/blockchain-themed accounts (or a subset thereof) and no other accounts.
The accounts in this network send all of their tweets via the Twitter Web App (allegedly). All of their content is either retweets or quote tweets - no original tweets or replies.
Trump is out of office and off of Twitter, but the MAGA follow trains continue to chug along. We took a look at #MAGA train activity subsequent to Twitter's January 8th 2021 QAnon crackdown. #SundaySpam
cc: @ZellaQuixote
cc: @ZellaQuixote
By starting with a few MAGA follow trains and recursively exploring the accounts that retweeted them in search of additional trains, we found 7523 trains posted between Jan 9 and Feb 20, 2021, listing 10310 accounts. 7757 are still online, mostly accounts created in 2020 or 2021.
A significant minority of these trains (1145 of 7523, 15.2%) contain the hashtag #BolsoTrump2021, often alongside images promoting both Trump and Brazilian President Jair Bolsonaro. 16 of 58 "conductors" (accounts that post trains) we looked at used the #BolsoTrump2021 hashtag.
Meet @TammyRu55487107, @AshleyG05060977, @MollyBa23420160, who (along with hundreds of their friends) all joined Twitter in late December 2020, and have all retweeted the same @sputnikvaccine tweet and nothing else. #SundaySpam
cc: @ZellaQuixote
cc: @ZellaQuixote
These three accounts are part of a group of 634 batch-created followers of @sputnikvaccine, all of which were made on December 21st or December 22nd, 2020, and all of which have default profile pics and follow no other accounts.
601 of these 634 accounts have tweeted, each of them exactly once. All of their tweets are retweets of the same @sputnikvaccine tweet, all (allegedly) posted via the Twitter Web App. 593 of them also liked the @sputnikvaccine tweet, and none has thus far liked another tweet.
It's a day that ends in "Y", and a posse of pornbots is prolifically posting tweets advertising a group of websites, with the novel twist that the websites are included in images rather than linked directly from their tweets. #SundaySpam
cc: @ZellaQuixote
cc: @ZellaQuixote
These bots were created in batches, and their image tweets contain hashtags and were (allegedly) sent via the Twitter Web App. We found 2147 batch-created accounts that fit this pattern, but how do we eliminate the ones without website names emblazoned on their image tweets?
Answer: we used OCR (optical character recognition), specifically the pytessaract library. It couldn't make much sense of the raw images, which use gray text on colored backgrounds, but tweaking the brightness/contrast on grayscale negatives resulted in machine-readable text.
What's with all these similarly-named accounts retweeting this @globaltimesnews tweet? #SundaySpam
cc: @ZellaQuixote
cc: @ZellaQuixote
Answer: a few recent @globaltimesnews tweets have been amplified by two distinct groups of bots. (It's possible that they are part of the same network, but we can't prove this, so we treated them as two separate botnets for the sake of this analysis.) #ATaleOfTwoBotnets
The smaller of the two botnets consists of 76 accounts created in October and November 2020, all (allegedly) tweeting via the Twitter Android App. In an apparent lapse of creativity on the part of the botnet operators, 36 of the accounts are named either "Barb" or "Barbara".
In an interesting coincidence, this tweet linking what appears to be an unauthorized livestream of a sporting event was retweeted by a bunch of similarly-named accounts created in May 2013. #SundaySpam
cc: @ZellaQuixote
cc: @ZellaQuixote
These accounts are part of a botnet promoting what we believe to be pirated livestreams of a variety of sporting events. (Among other things, many of the accounts have had tweets removed for copyright violations.
This botnet consists of two types of accounts: 206 accounts that link the pirated streams in their tweets, and 16 accounts that retweet them.
One of the accounts that this reply spam botnet we recently documented replied to (@oliverzok) began its Twitter life with an infusion of over 1000 batch-created bogus followers. We decided to explore the rest of the network. #SundaySpam
cc: @ZellaQuixote
cc: @ZellaQuixote
To find the rest of the network, we downloaded the followers of other accounts followed by the batch-created followers of @oliverzok, and repeated the process for the accounts they follow, and so on.
We found 1835 accounts that we believe to be part of this fake engagement network. All were created between January and March 2017, have been dormant since late 2017, and tweeted exclusively via the Twitter Android app back when they were active. All their tweets are retweets.
What's up with all these automated melodramatic news tweets mentioning "heatmaps" and linking to futuredanger(dot)com? #SundaySpam
cc: @ZellaQuixote
cc: @ZellaQuixote
We downloaded recent tweets linking to futuredanger(dot)com and found a network of 16 automated accounts dedicated to promoting the site. Each account tweets via its own custom app, accompanied by occasional organic tweets from @FutureDanger6.
The @FutureDanger6 account appears to be the hub of the network, and is mutual followers with the other 15 accounts (none of which follow any account other than @FutureDanger6).
It's a Sunday in July, and a Chinese-language porn/adult services botnet is apparently recruiting models and encouraging folks to visit pinkmote(dot)com, a rather NSFW website hosted in China. (As always, don't click the link.) #SundaySpam
cc: @ZellaQuixote
cc: @ZellaQuixote
We found a total of 166 accounts that we believe are part of this pornbot network. These accounts promote an NSFW website, pinkmote(dot)com. With the exception of the newest 12 accounts (made July 13/14 2020), these accounts do not appear to have been created in batches.
All of this network's 2020 content is in Chinese, promotes pinkmote(dot)com, and is allegedly sent via "Twitter Web Client", the old version of the Twitter website. Older tweets are in various languages and sent via various apps, suggesting the accounts were hacked/repurposed.
If you woke up this morning hoping that someone out there had created an #ArrestBillGates retweet bot, your dreams have come true in the form of @kuusevana. #SundaySpam
cc: @ZellaQuixote
cc: @ZellaQuixote
Almost all of @kuusevana's recent tweets (2970 of 2975, 99.8%) are retweets of #ArrestBillGates tweets. These retweets are sent via a custom app called "kickstarter_engagement_mku" and the bot retweets round-the-clock, provided that new #ArrestBillGates tweets are available.
What other hashtags occur alongside #ArrestBillGates in tweets retweeted by @kuusevana? #ExposeBillGates, #ArrestFauci, #Plandemic, #Obamagate, and #WWWG1WGA are the most popular, with various other QAnon and anti-Soros hashtags also turning up.
Oh look, more pornbots, tweeting in Korean this time. Despite the reassuring presence of four heart emoji in each tweet, we don't recommend clicking their obfuscated links. #SundaySpam
cc: @ZellaQuixote
cc: @ZellaQuixote
We found a total of 1342 accounts that appear to be part of this botnet. Most were created in April or May 2020, although a few are older. None have liked more than 2 tweets, and all theoretically tweet via the old version of the Twitter website ("Twitter Web Client.")
The links in these pornbots' tweets are redirected via the tinyurl(dot)com link shortening service, followed by several other redirectors before arriving at newkitchen(dot)co(dot)kr, a Korean website than unsurprisingly seems more focused on nudity than actual kitchens.
Oh look, more pornbots. In Japanese this time, even. #SundaySpam
(yes, this is the second pornbot thread we've posted today)
cc: @ZellaQuixote
(yes, this is the second pornbot thread we've posted today)
cc: @ZellaQuixote
We found a network of 257 Japanese-language pornbots, all created in 2020 and all automated via IFTTT. Additionally, all of the accounts have seven-character names consisting of random numbers and lowercase letters, and none have ever liked a tweet.
The accounts in this botnet were created in batches, and as batches have been added, the network's output has grown, presently ranging between 100 and 120 tweets per hour. The botnet is active 24/7.
We found what appears to be a network of 51 Arabic-language pornbots. All were created over the span of less than three hours on April 9th, 2020, and all tweet via IFTTT. Each bot pushes a specific website.
The websites linked by the pornbots appear to be blogspot blogs with random 5 character names. We decided to check them out via Tor (as always, DO NOT click links to dodgy sites without taking precautions to avoid tracking/malware.)
It's a great day to explore bots that attempt to game retweet-to-win contests! (and possibly ensnare them into retweeting portions of this thread. . .) #SundayShenanigans #SundaySpam
cc: @ZellaQuixote
cc: @ZellaQuixote
We began by downloading 24 hours' worth of retweets containing the word "win". Although most of the traffic is organic, there does appear to be quite the variety of automation apps in play.
We then downloaded recent tweets from each account that used an automation app to retweet a tweet containing "win", and kept accounts matching these criteria:
• at least 50% of tweets are automated
• at least 90% of automated retweets contain "win", "giveaway", or "contest"
• at least 50% of tweets are automated
• at least 90% of automated retweets contain "win", "giveaway", or "contest"
It's a Sunday, which is as good a time as any to see if RT editor-in-chief @M_Simonyan has any dormant botnets following her. (Survey says yes.) #SundaySpam
cc: @ZellaQuixote
cc: @ZellaQuixote
The streaks in this figure consist of accounts that were created in batches and followed @M_Simonyan in quick succession. They have other traits in common that we can use to filter out false positives:
• 0 likes
• 3 digit number of accounts followed
• Russian display names.
• 0 likes
• 3 digit number of accounts followed
• Russian display names.
We downloaded the batch-created accounts following @M_Simonyan and found two additional identifying characteristics:
• all tweets sent via "Twitter Web Client"
• duplicate tweets
After filtering out false positives, we were left with 2287 accounts. Is this the entire botnet?
• all tweets sent via "Twitter Web Client"
• duplicate tweets
After filtering out false positives, we were left with 2287 accounts. Is this the entire botnet?
If you're looking for #coronavirus profiteers that will also load up your account with useless followers, this is the botnet for you. #SundaySpam #coronagrift
cc: @ZellaQuixote
cc: @ZellaQuixote
This network consists of three mixed English/Japanese accounts (@MoreOker, @MoreThanBetter4, and @MostOkest) with various #Followback hashtags on their profiles. They tweet 24/7 via "Botbird Tweets", with (possibly) organic tweets via Twitter Web App thrown in.
The bulk of this network's tweets occurred during one of two spikes in activity. The first was a barrage of #followback tweets sent around the new year via Twitter Web App, and the second (late Feb-March) is round-the-clock automated tweets hawking face masks and hand sanitizer.
