Security

350,000 Twitter bot sleeper cell betrayed by love of Star Wars and Windows Phone

Computer researchers uncover yuuuge dormant army


Computer boffins Juan Echeverria and Shi Zhou at University College London have chanced across a dormant Twitter botnet made up of more than 350,000 accounts with a fondness for quoting Star Wars novels.

Twitter bots have been accused of warping the tone of the 2016 election. They also can be used for entertainment, marketing, spamming, manipulating Twitter's trending topics list and public opinion, trolling, fake followers, malware distribution, and data set pollution, among other things.

In a recently published research paper, the two computer scientists recount how a random sampling of 1 per cent of English-speaking Twitter accounts – about 6 million accounts – led to their discovery.

Pursuing an unrelated inquiry, the researchers were examining the geographic distribution of 20 million tweets with location tags in the dataset of 843 million tweets from the account sample, and they noticed an unusual distribution pattern.

Some accounts followed the expected distribution pattern, which coincides with population centers in America and Europe. But another set of accounts showed random distribution within those areas, often resulting in tweets from unlikely places such as seas, deserts, and the Arctic.

Blue dots at edge of box over Europe, barely visible after image compression, show Star Wars bots

When the researchers manually examined the text of these tweets, they found the majority of them consisted of random excerpts from Star Wars novels, and that many of them started or ended with an incomplete word or included a randomly placed hashtag.

For example:

Luke's answer was to put on an extra burst of speed. There were only ten meters #separating them now. If he could cover t

"This quote was from the book Star Wars: Choices of One, where Luke Skywalker is an important character," the paper explains. "We have found quotations from at least 11 Star Wars novels."

The manual examination of data associated with 4,942 accounts resulted in the identification of 3,244 bots with consistent characteristics:

Given that set of bots, the researchers created a machine learning classifier to hunt for other accounts with similar characteristics. The algorithm identified 356,957 Star Wars bots.

The researchers say they were lucky to have spotted the bots, which appear to have been designed to thwart automated detection methods. They note that being human helped make the discovery possible.

"The fact that the bots tagged their tweets with random locations in North America and Europe was a [deliberate] effort to make their tweets look more real," the paper explains. "But this camouflage trick backfired – the faked locations when plotted on a map seemed completely abnormal. It's important to note that this anomaly could only be noticed by a human looking at the map, whereas a computer algorithm would have a hard time to realize the anomaly."

Curiously, the Star Wars bots have been silent since 2013. The researchers observe that pre-aged bots can be sold for more than newly created bots on the black market, presumably because bot detection methods consider older accounts more likely to be reputable.

Twitter declined to comment on the findings, which may be because the company was unaware of them until now.

"We have not reported the accounts directly to Twitter (yet)," said Echeverria in an email to The Register. "We are waiting for the paper to be approved by the scientific journal to which it was submitted. We would also like to give researchers a chance to get the dataset by themselves before they are gone, this is why we have not reported to Twitter directly, but we will as soon as the paper gets accepted."

Inspired by their success identifying the Star Wars botnet, Echeverria, a research student, and his faculty advisor, senior lecturer Shi Zhou, claim to have identified an even larger botnet numbering half a million accounts.

"The larger botnet is part of a subsequent research paper, which is also under review," Echeverria said. "As soon as it gets approved, I will be able to disclose more information about it."

Echeverria added that there's now a Twitter account named "@thatisabot" to make it easier for people to report bots to researchers.

"Think of it as @spam but for researchers instead of Twitter," he said. "Furthermore, we have a webpage, www.thatisabot.com, which will (soon) also allow people to report bots to researchers."

"Commander, tear this ship apart until you've found those plans and bring me the Ambassador. I want her alive!" ®
Send us news
33 Comments

Microsoft Copilot for Security prepares for April liftoff

Automated AI helper intended to make security more manageable

In the rush to build AI apps, please, please don't leave security behind

Supply-chain attacks are definitely possible and could lead to data theft, system hijacking, and more

Infosec teams must be allowed to fail, argues Gartner

But failing to recover from incidents is unforgivable because 'adrenalin does not scale'

March Patch Tuesday sees Hyper-V join the guest-host escape club

Critical bugs galore among 61 Microsoft fixes, 56 from Adobe, a dozen from SAP, and a fistful from Fortinet

Row breaks out over true severity of two DNSSEC flaws

Some of us would be happy being rated 7.5 out of 10, just sayin'

FreeBSD Foundation hands out Beacon gongs for safer software

Multiple CHERI-related projects win money for important research that prizes safety over speed

Truck-to-truck worm could infect – and disrupt – entire US commercial fleet

The device that makes it possible is required in all American big rigs, and has poor security

Five Eyes tell critical infra orgs: Take these actions now to protect against China's Volt Typhoon

Unless you want to be the next Change Healthcare, that is

Forget TikTok – Chinese spies want to steal IP by backdooring digital locks

Uncle Sam can use this snooping tool, too, but that's beside the point

Beijing-backed cyberspies attacked 70+ orgs across 23 countries

Plus potential links to I-Soon, researchers say

Don't be like these 900+ websites and expose millions of passwords via Firebase

Warning: Poorly configured Google Cloud databases spill billing info, plaintext credentials

Vans claims cyber crooks didn't run off with its customers' financial info

Just 35.5M names, addresses, emails, phone numbers … no biggie