Anatomy of the latest Twitter Spam campaign

Are you experiencing some odd Twitter traffic ?

Random people re-tweeting and favouriting old tweets ?

I’ve been looking at some of this traffic and have found some interesting analysis… and I think I know what’s going on.

 

It started with a really old tweet from my personal account getting a favourite, then I noticed it from my professional account and then on the Internet Security Secarma Twitter account. The time-frame for this starting was within the last seven day.Example accounts doing the traffic:

@Karlenejtdj
@Kristinjbqu
@jenelleabai (Suspended)
@Aundreakegs
@Cassaundraaxgb
@Casieaytiq
@Ronaqojp
@Kacieoyye
@Toyafai

The comments each of these have posted include spurious sentences :

  •  I’d rather be driving a golf ball
  •  Twizzle met tizzle

… as well as proverbs and quotes :

  • no sooner may be the law created than its evasion is actually discovered. : italian proverb
  • What soberness conceals, drunkenness reveals. – German Proverb

If it looks like a bot and behaves like a bot …

… it probably is a bot  !

The thing that links each of them is that in their account headers have links that are short.URLs. So far, I’ve identified the following short.URLs being used.

t.co/uZ4P9jvfoj
tinyurl.com/bub74wg
bit.ly/YP0QjO
tinyurl.com/cwqbdpo
tiny.cc/pprevw
bit.ly/172pIER
tinyurl.com/cd2c5nc

Upon initial inspection, these appear to link to genuine sites e.g. Youtube.com and Yahoo.com

However, the path that takes you there is common to each short URL goes through a common site :

Initial URL : t.co/uZ4P9jvfoj
HOP 1 : tinyurl.com/bpzfhj6
HOP 2 : bestgod.info?tjnuuwlrg/ftwmoivjlv
HOP 3 : youtube.com
HOP 4 : http://www.youtube.com/

Initial URL : tinyurl.com/bub74wg
HOP 1 : bestgod.info?xbtiwczd/slvsiwpm
HOP 2 : youtube.com
HOP 3 : http://www.youtube.com/
HOP 4 :

Initial URL : bit.ly/YP0QjO
HOP 1 : bestgod.info/?mzgbnszslmwk/hduou
HOP 2 : youtube.com
HOP 3 : http://www.youtube.com/
HOP 4 :

Initial URL : tinyurl.com/cwqbdpo
HOP 1 : bestgod.info?oomz/irvxtcmszr
HOP 2 : youtube.com
HOP 3 : http://www.youtube.com/
HOP 4 :

Initial URL : tiny.cc/pprevw
HOP 1 : bestgod.info?gsrwmwlvhgj/fhkv
HOP 2 : yahoo.com
HOP 3 : http://www.yahoo.com/
HOP 4 :

Initial URL : bit.ly/172pIER
HOP 1 : bestgod.info/?fkinr/zelslkkf
HOP 2 : youtube.com
HOP 3 : http://www.youtube.com/
HOP 4 :

Initial URL : tinyurl.com/cd2c5nc
HOP 1 : bestgod.info?pekkwuzupxxm/pwvzllvij
HOP 2 : yahoo.com
HOP 3 : http://www.yahoo.com/
HOP 4 :

Initial URL : tinyurl.com/cjjndfa
HOP 1 : bestgod.info?vouai/gjxshbcqprs
HOP 2 : youtube.com
HOP 3 : http://www.youtube.com/
HOP 4 :

Initial URL : tinyurl.com/c9t3v5m
HOP 1 : bestgod.info?zjetzyob/kwgtxussn
HOP 2 : youtube.com
HOP 3 : http://www.youtube.com/
HOP 4 :

More recently, some of these accounts are posting short.URLs too with popular hashtags [NOTE: Is the bot searching tweets with specific text and/or hashtags to propagate ? I suspect both, but I have not found a match yet to confirm this] :

I’m in love with 5 crazy guys in this thing called one direction.#Directioner#TeamFollowBack bit.ly/ZfFSdr

That short.URL again takes us to :

Initial URL : bit.ly/ZfFSdr
HOP 1 : bestgod.info/?bwjpg/ikpmsge
HOP 2 : youtube.com
HOP 3 : http://www.youtube.com/
HOP 4 :

From a quick check, it looks like a genuine pass-through to YouTube which any unsuspecting fan would therefore click.

So now we know that BestGod.info is the intended destination site, let’s now take a look at them :

A whois look-up on the domain shows:

Registrant Contact Information:
Name: Linda O’Donnell
Address 1: 2619 Burwell Heights Road
City: Spurger
State: Texas
Zip: 77660
Country: US
Phone: +1.4094297841
Email: feee21centerok@gmail.com
The registered date of the domain is 25th March 2013.

Bestgod.info forwards to URL Followersdelivery.com

The whois lookup here shows :

Gl, Michael michaelgl88@gmail.com
FOLLOWERS DELIVERY
P.P. 226, HR
Zagreb, – 10002
Croatia/Hrvatska
+385.016592020

So now we know some URLs, we now know the names and now is the motive. What is BestGod ?

The BestGod.info site is a sales site to obtain “Real” followers FOR social media accounts.

It is only a guess but the links in the URL for BestGod have two unique identifiers – this may be unique to the Twitter account the tweet is sent to to verify that your account has clicked the link. This is a similar trick to email spammers who once they know your account has clicked the link will then send more spam to your account.

Some more Bot identifiers – when you look at the herd accounts, you will notice that to keep the bot under control, all the ‘following’ accounts are all bots too as well as some of the ‘follower’ accounts.

Fix :

  • @Security @Twitter needs to have a look into this.
  • Before clicking on unknown short URLs, check the path they go through using tools such as longurl.org and always check the intermediary path
  • Initial short URL may pass you on to a malicious site with a final route display of a legitimate site which you will not be able to go to.
  • If you do identify a user with this kind of traffic, please also Report them to your social media site so they can take action to block these accounts.

If you want to know more about where I work and what I do – take a look here : Secarma

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s