A massive botnet was tweeting you porn for months
Security researchers say the Siren botnet of almost 90,000 Twitter accounts was one of the largest spam campaigns on social media.
Security company ZeroFOX found almost 90,000 accounts in a porn spam bot network.
It was the social media equivalent of the Sirens who lured sailors to their doom in Greek mythology.
One after the other, accounts were popping up randomly on Twitter with posts like "Want vulgar, young man" and "Boys like you, my figure?" Every tweet had links to a seemingly innocent URL with a Google shortlink (starting with goo.gl), which would lead to a fake dating website, or a webcamming site or pornography.
This was the Siren spam botnet and it was almost 90,000 accounts strong.
Since February, security researchers at ZeroFOX had been tracking hundreds of thousands of bot accounts on Twitter, which were spamming the social network with links advertising adult content. They named the bot network after the Greek myth.
Every account featured a scantily clad woman as the avatar and descriptions and tweets that read like a bad Tinder profile. It'd be a combination of two phrases, an introduction like "I posted another naked photo" followed by a prompt like "go to the link." As with the Sirens of Greek lore, the botnet's call worked.
With 8.5 million tweets, the spam netted more than 30 million clicks, nearly four clicks per tweet, said Zack Allen, the threat operations manager at ZeroFOX, in an email.
Spam has been around since the dawn of the internet, but its spread to social media has been a recent development. Botnet attacks used to be confined to emails, with individual victims, but now it's a free-for-all on social media. With 2 billion people on Facebook, spammers are seeing social networks as the next target.
Unlike with emails, when spam gets posted on Facebook or Twitter, it's publicly available for everyone else to see, not just the recipient.
"I would say the pool is much easier in terms of accessing the feeds of other users," Allen said. "Spam has been getting sent to our spam folders in email for years; the social nets are still figuring out how to make a proverbial 'spam folder.'"
The Siren bots would work around anti-spam measures by disguising the URLs through some link laundering: First, the URL would get shortened through Twitter, giving the spammer a t.co link. That short link would then get redirected to a goo.gl URL and was able to bypass Twitter and Google's anti-spam detection.
Allen said ZeroFOX has tracked many types of social network-based attacks, but never anything as widespread or successful as Siren. The security company believes the attacks are coming from Eastern Europe, because a large chunk of the bots noted its default language as Russian on Twitter.
On July 10, ZeroFOX told Twitter about the massive botnet and the social network's security team removed all the spam accounts. Google's security team also blacklisted all the URLs that used its link shortener as a disguise.
Twitter didn't immediately respond to a request for comment.
These scams can cost victims thousands of dollars. In the last six months of 2014, the FBI noted that romance scams on social media cost more than $82 million for victims.
Intolerance on the Internet: Online abuse is as old as the internet and it's only getting worse. It exacts a very real toll.
It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.