In recent years, malicious actors have exploited social media’s ease of use, scalability, automation and ability to reach a massive, global target audience. In particular, spammers on social media create botnets, which are collections of accounts controlled by a central command. A bot is any account that is controlled not by an organic user but by some form of automation. Although the vast majority of individual bots are benign, they can be coordinated as botnets and weaponized to distribute nefarious links such as phishing campaigns, malware, ransomware, fraudulent surveys, spamruns, malicious apps that hijack control of the victim’s accounts, and spam websites that pay for clicks.
Since February of this year, ZeroFox Threat Research has been investigating a large-scale, spam pornography botnet on Twitter dubbed SIREN. The botnet is named for the mythical Greek Sirens, who seduced wayward sailors with their singing and lured them to their doom. Initially, hundreds of bots were detected by the ZeroFox Platform’s deep convolutional neural networks that classify incoming sexually explicit images and text content. Since then, ZeroFox’s computer vision and natural language processing algorithms have identified over 8,500,000 tweets from close to 90,000 accounts related to the SIREN campaign.
This post ties together the SIREN botnet discovered by ZeroFox Threat Research with a large email spam botnet recently disclosed by Brian Krebs in KrebsOnSecurity. Both the social spam botnet and the email spam botnet leverage similar tactics and drive victims to the same network of pornographic websites.
To our knowledge, the botnet is one of the largest malicious campaigns ever recorded on a social network. Previously discovered botnets of this magnitude displayed benign end goals such as generating Star Wars quotes en masse, however SIREN is in clear violation of Twitter’s Terms of Service.
- SIREN is a prime example of a massive Twitter botnet, and is more malicious than other large botnets known on social media; nearly 90,000 unique accounts have generated over 8,500,000 posts.
- SIREN has been incredibly successful, netting over 30,000,000 clicks from its victims. This data can be gleaned because the botnet uses trackable, Google shortened URLs.
- The TTPs of SIREN clearly demonstrate how social media has become a lucrative medium for spammers.
- SIREN demonstrates the usefulness of programmatic access to a social network at scale.
- The actors running SIREN appear to be from Eastern Europe.
- Marketing affiliate programs for fake dating and romance scam websites continue to offer attractive opportunities for spammers like SIREN. ZeroFox collaborated with KrebsOnSecurity on their investigation into the source of the pornography spam websites and the affiliate marketing network. Both the email botnet discussed by Krebs and Twitter botnet discovered by ZeroFox have the same end goal and have links to the same network of spam pornography websites.
- ZeroFox reported the full findings to both the Twitter and Google security teams, who promptly removed the offending accounts and links, comprehensively remediating the SIREN botnet.
About the Botnet
The SIREN botnet leverages a vast network of algorithmically generated Twitter accounts to distribute a payload URL that redirects to a variety of spam pornography websites. All of the nearly 90,000 accounts have a suggestive photo of a woman as a profile picture and a female name as the displayname (Figure 1). The accounts either engage directly with a target by quoting one of their tweets or attracting targets to the payload visible on their profile bio or pinned tweet.
Figure 1: An example SIREN bot account, in which profile bios are used for payload distribution.
The tweets themselves generally contained canned, sexually-explicit text, often in broken English, compelling the target to click, such as “you want to meet with me?” or “Push,don’t be shy” [sic]. 98.2% of bot tweets adhered to a predictable text pattern (Figure 2), consisting of:
- A sexually explicit phrase (“First Phrase”)
- An exclamation point
- A phrase designed to socially engineer user to click the URL (“Second Phrase”)
- The shortened goo.gl URL
There were 26 options for the First Phrase but only 8 for the Second Phrase, and all phrases were identical down to the level of individual capital letters. Specific phrases also exhibited clustered temporal distribution patterns, in which different tiers of phrases were created at similar relative frequencies over short time periods.
Figure 2: The First and Second phrases exhibited high repetition. Red boxes delineate the 4 components of repeated tweet patterns. The pattern of Top 10 Terms recorded over a single day demonstrates that individual phrases were distributed at similar volumes with respect to each other in time.
Disguising the Destination URL
Once a link is clicked, the user is issued a series of redirects:
- User clicks on a link displayed in a tweet
- These links get shimmed into Twitter’s t.co service
- t.co redirects to goo.gl, Google’s URL shortening service (Figure 3)
- goo.gl redirects to a ‘rotator’ website. This rotator ingests a connection from the goo.gl redirect, and redirects the user again based on a simple user-agent check. If the request comes from an automated program like Python’s request library or cURL, it redirects the connection back to Twitter or Google
- Once the rotator deems the client as ‘legitimate’, it then sends the connection via another redirect to the final URL destination
These redirects serve multiple purposes:
- Obfuscate the destination of these links to avoid anti-spam services, such as Twitter’s link shim and Google’s URL shortener.
- Masquerade the destination link and leverage the user’s trust in Google and Twitter domains, so they’re more likely to click on the link.
- Create an infrastructure of redirects such that if one link in the chain gets removed, another one can quickly be added to continue operations.
Figure 3: Statistics associated with a single goo.gl shortlink and pie chart of Referrers from all 374,208 goo.gl shortlinks, the large majority of which are t.co.
SIREN End Goal & Relationship to Email Spam Botnet
The final redirect websites encourage the user to sign up for subscription pornography, webcam or fake dating websites. These types of websites, although legal, are known to be scams. Many of the websites’ policies claim that the site owners operate most of the profiles. They also have overbearing policies that can use personally identifiable information of their customers to send to other affiliate programs which yields more spam to the victim.
In June, 2017, Brian Krebs uncovered a large email spam campaign that was promoting a network of pornography and dating websites linked to Deniro Marketing. This spam campaign had a series of botnet panels and operated primarily via e-mail. Deniro Marketing was part of a class action lawsuit in 2010 but still seems to host websites on their Autonomous System Number (ASN) and run affiliate marketing programs. The SIREN botnet likewise drives some of its traffic to the same network of websites linked to Deniro Marketing. Krebs published his initial findings on KrebsOnSecurity.com and requested other research on the email botnet or Deniro Marketing.
2 out of the 5 final domains associated with SIREN are hosted on the Deniro Marketing ASN: Cheatingcougars.com (https://whois.domaintools.com/cheatingcougars.com) and milfshookup.com (https://whois.domaintools.com/milfshookup.com). Bgpview.io shows that the ASN was registered in 2010 https://bgpview.io/asn/19884 and the contacts belong to the website datinggold.com. Dating Gold seems to be an affiliate website for advertisers and offers a series of partnerships for payouts.
A large percentage of the bots were female names with nude or semi-nude pictures. This type of targeting from SIREN helps maximize “male sign-ups” in the Single-Opt program from Dating Gold, which nets the affiliate marketer a higher payout. Many of these websites also required e-mail and a phone number to access the member portal. This additional information is rewarded by the Double-Opt program, too. The physical address listed on dattinggold.com matches Deniro Marketing’s address listing on BGPview, as well as the two payment processing spam affiliate websites, mntbill.com and ctpymnt.com (Figure 4).
Figure 4: CTpymt and MntBill payment processors have the same address as Deniro Marketing.
In terms of the SIREN actors themselves, a large chunk of the Twitter accounts’ self-declared user languages were Russian (Figure 5). This observation was notable given that 12.5% of bot displaynames contained letters from the cyrillic alphabet corresponding to common female Russian names. The poor English, Cyrillic text and sheer magnitude of the infrastructure is indicative that SIREN is a group or actor that is technically proficient and probably located in the Eastern Block of Europe. Actor groups from this area of Europe have been known to run spam infrastructures similar to this campaign.
Figure 5: Pie chart depicting the distribution of bot default languages. en=English (default), ru=Russian, es=Spanish, en-gb=English UK, tr=Turkish, fr=French, de=German.
Dismantling the Botnet
As of 10 July, ZeroFox disclosed all of the Twitter profiles and posts to the Twitter security team, who subsequently removed them. Twitter was prompt and efficient in their takedown, as the malicious botnet is in clear violation of their Terms of Service. ZeroFox also disclosed all of the goo.gl short urls to Google Security Team, who subsequently removed them and added the longUrl domains into their blacklists. ZeroFox is actively sending data to the networks to curb the botnet spam for users.
Best Practices & Impacts
Due to the prolific nature of this botnet, users and organizations should be aware of the following TTPs of SIREN:
- Thread replies on Twitter from bots with links to spam domains where the tweets hijack conversations with users or customers, especially for influencer accounts
- Multiple redirect chains leading through link shortener services and rotator domains on the way to the final URL destination
- A plug and play infrastructure, where if one domain or website is blocked along the redirect path, another can be replaced
- High use of free registration TLDs like .tk and .pw
- Many of the domains “landing” in ASN19884
The impact to users and associated stakeholders takes many forms:
- Financial loss to victims. The FBI classifies these as “romance scams” and even stated that a single scam can cost users up to $100,000.
- Surrender of Privacy and embarrassment to victims. The spam websites share credentials within the network and possibly beyond.
- Brand reputation loss. Tweets are an important TTP for SIREN, so protecting profiles, pages and threads on social media from this spam will help keep brand reputation solid by avoiding customers or clients being exposed to these links.
- Although ZeroFox has not observed overt phishing or malware activity, malvertising and redirection to websites with exploit kits is easily accomplished due to the plug and play architecture that SIREN employs.
All fraudulent activity shown in this post has been reported to the social networks for immediate removal. All information in this report is publicly available data collected using the social network APIs. No confidential information is contained in the post.