It should be no surprise that spam Twitter accounts can be bought to boost follow counts—or more maliciously, to phish unsuspecting users. A team of researchers spent more than $5,000 buying fake accounts to learn more about this underground market, presenting their findings Wednesday at the USENIX security conference in Washington, D.C.
Because Twitter abuse is reported after the damage has been done, the researchers from the International Computer Science Institute, George Mason University and UC Berkeley were looking for ways to detect automatically created accounts before they're used for fraudulent purposes. Working in collaboration with Twitter, they spent 10 months buying 121,000 spam accounts from 27 underground sellers. The cost per 1,000 accounts ranged from $10 to $200, reports Brian Krebs, a former Washington Post reporter who writes the Krebs on Security blog.
"I think the most surprising part is the scale that several of the largest merchants operate at," Chris Grier, researcher at ICSI and UC Berkeley, told Fast Company. "The top few merchants make up the majority of the millions of accounts that we identified."
To bypass the CAPTCHA security protocol in place, merchants can pay third-party services that employ people in China, India, and Eastern Europe "who earn pennies per hour deciphering the puzzles," Krebs reported. Because Twitter accounts require unique email addresses, the sellers turned to email services, such as Yahoo and Hotmail, the latter of which was used to create 60% of the spam accounts, according to the researchers. The going rate for bulk email addresses was $10 per 1,000 Yahoo accounts and $12 for 1,000 Hotmail accounts. Meanwhile, Gmail addresses, which have account verification mechanisms in place, cost $200 for the same quantity.
In order to distribute account registrations across thousands of IP addresses, merchants also used botnets, which can be rented, of hacked PCs as proxies. Most of these services were paid for using PayPal. Of the 121,000 fake accounts purchased by the researchers, 95% of them have been disabled by Twitter. "We are now working with Twitter to integrate our ﬁndings and existing classiﬁer into their abuse detection infrastructure," the researchers concluded in their paper.
[Image: Flickr user Anosmia]