Why Twitter can't win its war on spam
Why invest in Twitter’s initial public offering when you could pick up a couple thousand new followers instead?
There’s an entire black market dedicated to selling dummy accounts at bargain bin prices. We know. We picked up 10,000 fake followers in May for a mere $10.
It’s a massive problem for the company, one that cheapens the dialogue and dampens the overall experience. (After all, there are few things more disappointing in the social media realm than being inundated with spam or discovering your new follower is just a bot with a cute avatar.)
In 2011, it was estimated that 3 percent of all Twitter accounts were spambots. The site's security team does its best to weed out bogus profiles, but their efforts seem reminiscent of the famous chocolate factory scene in I Love Lucy: For each one that’s deleted, another 10 (if not far more) crop up in its place. And the tactics are always changing. Just this week a new form of Twitter spam emerged in the form of keyword lists.
A new study by researchers from the University of California at Berkeley and the International Computer Science Institute gives us the most comprehensive look yet at the so-called Dark Web’s marketplace for fraudulent Twitter accounts. Commissioned by the company itself, the findings paint a dire picture of the uphill battle Twitter faces.
At the time the study commenced in 2009, Twitter was in the middle of a costly legal battle with a several prominent spam distributors. And although Twitter ultimately won a settlement earlier this year, the suit was more about sending a message than actually putting a permanent end to spam.
At the outset of their study, researchers noticed that spammers seemed to have no shortage of resources.
"[O]ne thing we noticed was the willingness of spammers to have thousands of their accounts suspended during the course of spamming," noted Chris Grier, one of the researchers. "The primary question that came out of that was how do spammers acquire so many accounts?"
The answer proved quite simple: advertisements.
As the Daily Dot found in its own independent investigations, there are various forums across the Web where enterprising spammers can find ready-made accounts. A simple search of "buy Twitter accounts" got the project going for the researchers. From there, they zeroed in on three sites: Black Hat World, Fiverr and Freelancer.
Through those sites, the developers gained entrance into "an underground market that connects Internet miscreants with parties selling a range of specialized products and services." Over the course of 10 months, the researchers did business with 27 merchants. They later calculated that these merchants were responsible for registering 10 to 20 percent of all accounts later flagged by Twitter as spam. Charging just pennies per account but selling thousands of profiles at once, the merchants generated between $127,000 and $459,000 collectively during the course of the study.
The sheer volume of the operation was astounding.
"A few of the merchants we bought accounts from represent the vast majority of the accounts we identified (as spam)," Grier said.
The problem with fraudulent-account detection at Twitter is that most accounts are only identified as spam once they are activated and started spamming. The network's security team is trained to identify and shut down accounts that start instantly blasting out messages or following thousands people.
Twitter's tools for stamping out "at-registration" abuse—identifying spam at the time of creation—are far less sophisticated. To weed out fraudulent accounts at entry level, Twitter would have to look for clusters of accounts being registered from the same IP addresses or ones originating from the same geographic area.
But as the researchers discovered, most of these merchants use a network of proxies spread out around the world. Accounts they purchased were registered in more than 160 countries. Most countries were responsible for less than one percent of the total accounts.
"For me (the most surprising thing) was the scope of the proxy networks that the merchants clearly have available to them for registering accounts from a diverse set of IP addresses," researcher Vern Paxson told the Daily Dot.
There are, of course, other ways to try and prevent fraud at registration, such as email confirmation and CAPTCHA, but according to the investigators, none of those methods have proven to be any sort of silver bullet for preventing fraud. Seventy-seven percent of the accounts purchased in the study were confirmed by email, thanks to widespread email account abuse on services like Hotmail and Yahoo.
CAPTCHA is trickier for automated programs to solve, but the researchers found that a median 7 percent of accounts challenged by these distorted word puzzles made it through anyway. Either they had human solvers, some sort of automated anti-CAPTCHA program, or they simply got lucky. When dealing with thousands of accounts, it's still worth the merchants' time to play the odds against CAPTCHA. They merely bump up the resale price.
Further complicating matters, Grier, Vern, and their colleagues say there is often a significant lag time between when an account is created and when it is sold and put into use. This allows the merchants to maintain a healthy stockpile—ready to fill orders on demand. It’s also creates a premium product, since an account is better able to avoid spam detection.
It's not clear just how much the average user's experience on Twitter is impacted by the presence of fraudulent accounts. In their report, however, the researchers note that the sale of these accountess is far from harmless.
"[A]ccount merchants are merely stepping stones for larger criminal enterprises, which in turn disseminate scams, phishing and malware through Twitter," the report reads.
The Daily Dot made efforts to reach out to several of the merchants listed in the report and others found independently advertising Twitter accounts for sale on various Web forums. None responded. As Paxson notes, it can be a difficult task to infiltrate the marketplace.
"The purchasing end requires being able to convincingly engage with the merchants, which takes a lot of time and energy," he said.
Merchants may also be wary because they were ultimately stung by the researchers' actions. Last spring, Twitter shut down 95 percent of the accounts created by the 27 merchants targeted in the study. It was a major disruption that rippled throughout the marketplace.
"All of the stock got suspended … not just mine .. it happened with all of the sellers … don't know what Twitter has done … " wrote one merchant unknowingly responding to the researchers' request for additional accounts after their disruption.
To test the effects of their shutdown, the researchers tried to order more accounts from 10 of the largest sellers with whom they had previously done business. Of 14,067 accounts purchased, 90 percent were suspended on arrival due to the previous intervention, indicating Twitter had majorly deleted their stockpiles. Merchants, like buyaccs.com were forced to put up a message simply saying, "Temporarily not selling Twitter.com accounts."
In their conclusion, the researchers recommended enhancing at-registration by enacting IP blacklisting and phone verification. It may not stop the problem, but the researchers say it will likely drive up the cost of creating new accounts and make it a less attractive business model.
There's no telling how long the company will be able to stay ahead of these peddlers of fake accounts.
But if this week’s targeted list scam is any indication, in its war on spam, Twitter is clearly losing.
Illustration by Jason Reed