Network "SIREN" consisting of 90 thousand Twitter bots that leads to adult sites with sexual tweets

Huge bot network exceeding 90,000 accounts guided by URL link to adult site "SIREN"Was found on Twitter. SIREN itself is an aggregate of bots aimed at revenue from induction links, but bot aggregation on SNS is also concerned about abuse against malware and phishing scams.

Inside the Massive SIREN Social Network Spam Botnet | ZeroFOX
https://www.zerofox.com/blog/inside-massive-siren-social-network-spam-botnet/

ZeroFOX, a security countermeasure company, has discovered an aggregate of huge bots "SIREN" formed on Twitter. The number of botnets that make up SIREN has reached 90,000 accounts, and he said that he had made tweets exceeding 8.5 million so far.

Take anti-spam measures In order to break through Twitter's eyes, SIREN's bot is an online dating site and pornographic site. To guide you to any adult site, use Google's URL shortening service "Google URL ShortenerIt is characterized by being used. In addition, it has been found that the URLs listed in SIREN related tweets have been clicked for more than 30 million times in total.


According to ZeroFOX, tweets of fake accounts by bots constituting SIREN are composed of "sexually explicit phrases (first phrase)", "exclamation point", "phrase (second phrase) to click URL", and "abbreviated URL" It is thought that it is all automatically generated.


There are 26 kinds of first phrases, and these characteristic phrases are all same, including how to use capital letters. A list of the first phrases is as follows, among them phrases such as "what vulgar, young man" and "Boys like you, my figure? (Like you, my favorite) It was a classic pattern.


Phrases such as "Push, do not be shy" (click shy) and "Let's have a chat" seem to be popular.


Looking at the phrase appearance frequency for one day, you can see that several patterns were murmured the same number of times.


In the case where the URL of Google's URL shortening service goo.gol is redirected, the request source is a Python library,CURLIf you are coming from an automated program such as Twitter and go back to Google, only when you decide that the user is human, that you were connected to the URL, the final destination. SIREN's accounts avoiding Twitter and Google anti-spam services while obfuscating the link destination by making full use of redirects, redirects to quickly add another link if some links are deleted ZeroFOX has made clear that it also had infrastructure.

Below is a graph showing the proportion of SIREN's default language for bot accounts. After English, you can see that the proportion of Russian is high. In addition, 12.5% ​​has a notation in which the Cyrillic letters used by Russian women are used as a user name, and if tweets of troubled English are also matched, ZeroFOX analyzes that there is an Eastern European organization behind SIREN.


ZeroFOX reported Twitter account information related to SIREN to Twitter, reported all abbreviated URLs related to the Google security team, Twitter frozen the corresponding bot account, and Google said that it added the longUrl domain to the blacklist .

SIREN 's aim was that there was no apparent fraud or activity as malware in the guidance to the adult site. However, ZeroFOX points out the possibility that the similar method of constructing a bot network with SNS and performing a malicious attack will be used in the future.