Elon Musk was right. Twitter is loaded with junk accounts.
When the mercurial billionaire tried to wiggle out of purchasing the social network last summer, he said that Twitter was loaded with spam and bots. Some data indicated that he might have been correct about Twitter’s spam problem. In recent research cited by the AP, 9-15% of Twitter accounts were inauthentic.
Now, new data acquired by Cybersixgill appears to confirm that a significant portion of inauthentic Twitter accounts may have been built with tools and services found on the deep and dark web. And the problem is getting worse.
More followers and activity on any social media platform lead to more engagement. On the underground, Twitter users can purchase bots to inflate their followers and activities, such as likes and replies. This can enable them to churn out spam or to simulate a community. Alternatively, they can simply purchase pre-made accounts with the followings.
Twitter bots interact with the platform to perform automated actions at scale. For example, one bot sold on underground forums (figure 1) advertises mass subscriptions, likes, retweets, comments, and tweets, as well as the ability to change the profile’s username, name, and description. In essence, this allows the bot’s user to operate a firehose of activity, spamming however they desire.
Figure 1: A Twitter bot for sale. It enables an account to perform mass subscriptions, likes, tweets, retweets, and comments, as well as to change profile info.
Another bot (figure 2), sold for $100, alleges to automatically perform follows, likes, and retweets to a user or a tweet. The buyer of the bot receives the source code, allowing them to tinker with it as they need.
Figure 2: A Twitter bot sold for $100. The buyer receives the source code.
Twitter accounts with significant followings are more respected, and their posts have higher rates of engagement. Offering a shortcut to these ends, many services on the underground promise to grow an account’s following.
One tool, for example (figure 3), enables users to add 1,500 followers a day on Twitter (as well as Youtube and Instagram).
Figure 3: A tool enabling users to gain 1,500 followers per day.
Another follower inflation service (figure 4) hosted a giveaway in which the winners would receive 1,000 followers.
Figure 4: A Twitter follower inflation service.
However, thousands of followers are not enough for some users. For example, one user (figure 5) wanted to purchase “1 million high-quality twitter followers” and received several responses to this solicitation.
Figure 5: A user seeks “1 million high-quality twitter followers.”
Instead of growing a large account via purchasing bots and followers, many may buy accounts that have already been cultivated. Buyers of these accounts receive their usernames, passwords, and complete control. (Some actors that participated in a popular forum for selling accounts took a central role in the hack of celebrity Twitter accounts in July 2020.)
One actor (figure 6) posted a handful of accounts for sale at prices ranging from tens to hundreds of dollars. These accounts were largely crypto/NFT-themed, each with thousands to tens of thousands of followers.
Figure 6: An actor sells several crypto/NFT-themed Twitter accounts with thousands of followers. Prices range from tens to hundreds of dollars.
In another example (figure 7), an actor sought to sell an account with 45,000 followers for $450.
Figure 7: An actor selling an NFT/crypto-themed Twitter account for $450.
Even more maliciously, the deep and dark web provides an environment where actors can traffic compromised Twitter accounts and the tools and services necessary to perform account takeovers.
Those with a DIY approach to hacking can find many combolists--databases with known username-password combinations. Many combolists allege to include hundreds of thousands or even millions (figures 8-10) of Twitter credentials, though these are presumably old or unvalidated.
Figure 8: A combolist of 14 million Twitter email addresses and passwords. These are presumably old or unvalidated.
Figure 9: A combolist of 200,000 Twitter and Tumblr email addresses and passwords.
Figure 10: A combolist of 500 social media email addresses and passwords.
To validate credentials from a combolist, actors need to use a credential stuffing tool, which is known as a checker. One can find many Twitter checkers shared on underground forums (figures 11-13).
Figure 11: A Twitter checker available on the underground.
Figure 12: A Twitter checker that claims to bypass 2FA.
Figure 13: An actor offers $5,000 for a bespoke Twitter checker.
Alternatively, those that want to purchase already compromised accounts can buy logs--validated credentials for Twitter. For example, this actor sells Twitter logs (figure 14) alongside those of popular social media and payment platforms.
Figure 14: Logs of popular social media and payment platform accounts for sale on Telegram.
Many actors seek to buy logs, whose value is connected to the account’s number of followers (figures 15-16).
Figure 15: An actor seeks to buy Twitter logs. They offer at least $0.50 for accounts with a minimum of 200 followers. They specify that they want “real accounts with valid cookies and IP location,” which can help them bypass 2FA.
Figure 16: An actor seeking to buy Twitter logs. Prices range from $0.30 for accounts with up to 200 followers to $1 for accounts with 5,000+.
These accounts could have been compromised in several ways. One is through the credential stuffing. Another is if they belonged to compromised endpoints on access markets, which sell access to or data stolen from infected machines. Logs harvested through access markets can also include cookies, system, and IP information, allowing actors to evade MFA and other compromise detection mechanisms.
A massive number of Twitter accounts could have been compromised this way: out of the over 2,146,000 compromised machines sold on access markets over the last year, a whopping 435,000 (20.3%) included access to a Twitter account.
If an actor wishes to target a specific Twitter account, they can find hacking services on the underground. One actor, for example (figure 17), promises to hack any social media account within 24 hours, with pricing set depending on the account type and the number of followers.
Figure 17: An actor offers to hack any Twitter account within 24 hours. Pricing depends on the account and number of followers.
Other actors (figure 18) offer services to get any profile banned.
Figure 18: A service offering to ban a targeted Twitter or Instagram user.
Scraping is a popular method of autonomous data extraction and collection in which a threat actor captures and aggregates publicly available data and dumps it into a large, structured, and useable database. It is relatively simple to execute; instead of breaking into a server or database, the threat actor exploits platform vulnerabilities to gather publicly available data.
Scraping is a prevalent threat to social media accounts. For example, in June 2021, an actor posted a 10 million LinkedIn accounts database on an underground forum. Threat actors can use scraped data for spam, phishing, social engineering, and identity theft.
It is possible to find scraped data of millions of Twitter accounts shared on the underground (figures 19-20).
Figure 19: A scraped database of over 53 million Twitter users from 60+ countries.
Figure 20: A scraped database of 5 million Twitter users.
Furthermore, there are scraping tools available for purchase (figure 21).
Figure 21: A Twitter scraping tool sold for $40.
Twitter is more than just a platform; it’s an ecosystem. It hosts users who want to share opinions or influence others who seek learning, information, and entertainment.
However, it also hosts many bottom-feeders: grifters, spammers, and those spreading misinformation and hate. The impact of their activities ranges from hurting the user experience to violating Twitter’s terms of service to outright illegal.
These threat actors will watch all of the changes that Musk and his team introduce to the platform and seek new, creative ways to exploit them. Indeed, the launch of Twitter Blue's $8 verification service immediately led to a fiasco of fake verified accounts that impersonated public figures and even Twitter itself. However, while the attack exploited a new feature, in our understanding its techniques of building large accounts quickly relied heavily on existing toolboxes of account amplification and takeover. Many of these attackers, in fact, could have used tools and services that they found on the underground.
Twitter’s new management must recognize that many of the threats observed on the surface--and others about which they might have been unaware--have bubbled up from the deep and dark web. Only by taking a proactive approach to monitoring this realm can they restore Twitter to the digital town square it strives to be.