Inauthentic Accounts Are Spamming Twitter With Spyware That Can Steal Users’ Private Data

Twitter’s negligence is astounding

Image for post
Image for post
Network graph representation of 27,449 Twitter accounts that tweeted, retweeted, or were mentioned in tweets which include include “clockurl[.]co” (tweets from Jan 5th to Jan 12th, 2019)

Background Information

Cybersecurity firm Trend Micro discovered Maikspy variants that were being distributed via numerous Twitter accounts in May 2018.

Maikspy initially posed as an adult game named after (former) adult film actress, Mia Khalifa, and first appeared on the Windows platform in December 2016 (Android variant appeared shortly thereafter in January 2017).

One of the Twitter accounts highlighted by Trend Micro was @RoundYear_Fun (account has since been suspended):

Image for post
Image for post
Source: Trend Micro blog

The cybersecurity firm identified several Twitter accounts promoting Virtual Girlfriend, an adult game, by linking to the malicious domain via short links:

Image for post
Image for post
Source: Trend Micro blog (tinyurl[.]com/VirtualGirlfriend points to miakhalifagame[.]com)

After devices were infected (post downloading the Maikspy-carrying app, Virtual Girlfriend) the app’s routine included stealing the device’s phone number, installed app lists, contact lists, SMS messages, and more. The following were the supported commands discovered by Trend Micro:

Image for post
Image for post
Source: Trend Micro blog

Maikspy is very nasty spyware — early variants, for example, were capable of recording phone calls.

For more details around the connection between Round Year Fun and Maikspy, I highly recommend checking out Trend Micro’s post.

Here’s a visualization they put together that maps various relationships:

Image for post
Image for post
Source: Trend Micro blog

Round Year Fun (On Repeat)

The first time I encountered Round Year Fun was via a tweet linking to a game called Secret Admirer in October 2018.

I regularly scan Twitter search results for the phrases “Twitter bots” and “fake accounts” as these are areas which very much interest me. During the first couple weeks of 2019, the scans led me to Secret Admirer with far more frequency than previously. (I completed most of this post at that time; Twitter’s recent decision to permanently suspend my account has motivated me to highlight more of their negligence, hence I finally finished/published this one)

It was the tweet below that nudged me to finally take a closer look at the game:

Image for post
Image for post

The exchange which followed (in Thai; between @ctrlaltdel3_14x and @Hazotfbot) — among other things — was a red flag:

Image for post
Image for post

Next I searched Twitter for the link (clockurl[.]co/key/secretadmirer) that was being shared (by what appeared to be inauthentic accounts).

The number of search results were sufficient to warrant further investigation, so, using Twitter’s API, I pulled recent tweets where said link appeared.

Below is a network graph representation of 2,100 Twitter accounts that tweeted, retweeted, or were mentioned in tweets which include “clockurl[.]co/key/secretadmirer” (tweets from Jan 4th to Jan 11th, 2019):

Image for post
Image for post
Each dot (node) represents a Twitter account. Lines connecting accounts (edges) represent relationships between accounts (for example, if account A adds account B to a tweet where Account A has also added “clockurl[.]co/key/secretadmirer” → then Account A and Account B will appear connected via an edge in the graph)

The @_Round_YearFun account (largest node above by far) — as you may have noticed — has a slightly different username than the @RoundYear_Fun account highlighted by Trend Micro in May 2018.

In fact, there have been at least 10 Twitter accounts, which, at some point, were operated by Round Year Fun, a gaming portal that currently reflects a tagline of “Fun Twitter games all year round” on their site:

Image for post
Image for post
Round Year Fun’s site (Aug 1st, 2019)

Here’s an overview of those accounts (@RoundYear_Fun — yellow below — is the account that was highlighted by Trend Micro in May 2018; each of these 10 accounts have been suspended):

Image for post
Image for post
Round Year Fun has operated at least 10 Twitter accounts going back to early 2017

Round Year Fun’s site reflects 6 games:

  1. Secret Admirer (discussed earlier; this was the first Round Year Fun game I encountered)
  2. Twitter Family Tree
  3. How Will You Die?
  4. Who Visits Your Twitter Profile?
  5. My Twitter Worth
  6. Love Calculator
Image for post
Image for post
Round Year Fun’s site (Aug 1st, 2019)

Earlier in this section I shared a network graph representation of 2,100 Twitter accounts (relating to the Secret Admirer game). Turns out Twitter is similarly littered with inauthentic accounts spamming links to the other Round Year Fun games as well (these examples are all from Aug 1st, 2019):

Here are the links being spammed across Twitter for each respective game:

Image for post
Image for post

Below is a network graph representation of 27,449 Twitter accounts that tweeted, retweeted, or were mentioned in tweets which include “clockurl[.]co” (tweets from Jan 5th to Jan 12th, 2019; NOTE: this is the same graph that appears atop this post):

Image for post
Image for post
Network graph representation of 27,449 Twitter accounts that tweeted, retweeted, or were mentioned in tweets which include “clockurl[.]co” (tweets from Jan 5th to Jan 12th, 2019)

ClockURL.co links on Twitter appear only in the context of Round Year Fun, hence pulling tweets which include “clockurl[.]co” (vs. “clockurl[.]co/key/secretadmirer”) extends our dataset beyond just the Secret Admirer game (such that additional Round Year Fun games are being captured as well):

Image for post
Image for post
ClockURL.co’s site (Aug 1st, 2019)

Follow-For-Follow, Spam Accounts

Next I reviewed (profile) data obtained via Twitter’s API for the 27K+ accounts that appear in the “clockurl[.]co” graph/dataset.

Let’s take a closer look at one — namely, @sammykroos7:

Image for post
Image for post
The @SugarLove779 account (middle account in the “You might like” section) mentions the number of followers they have (97K) in the account’s display name. This is quite common among inauthentic accounts
Image for post
Image for post
Source tweet (“sammy’s” userid = 1116800622752301056)

“kinqsammykroos” (@sammykroos7) has, on average, liked 645 tweets per day (while managing to tweet, on average, 208 times per day). This level of activity generally is indicative of a non-human behavior pattern.

Out of the account’s most recent 3.2K tweets, 97% are retweets. Additionally, there are several periods where the account churns out 86+ tweets per hour:

Image for post
Image for post
Source: Allegedly

What does @sammykroos7 tend to retweet? Other inauthentic accounts that spam Twitter about gaining followers via “follow trains” (NOTE: this behavior violates Twitter Rules):

Image for post
Image for post
Image for post
Image for post
Twitter Rules, it seems, are simply for show

Here are the accounts most frequently retweeted by @sammykroos7 (red text where average tweets or likes per day for retweeted account exceeds 100):

Image for post
Image for post

Many of the follow-for-follow accounts reflect having hundreds of thousands of “Followers” — once again, these accounts are in violation of Twitter Rules (and function to inflate platform metrics):

Image for post
Image for post

Twitter will likely suspend the @cattina3 account as a result of this post. What they won’t do, however, is suspend the hundreds of thousands of inauthentic accounts from “Cat’s” Following/Followers (and ones that round out this particular spam network, more broadly).

These type of follow-for-follow accounts/spam networks are rampant across Twitter and span several languages.

I’ll save that for a later post — now back to Maikspy!

Pure Negligence

As evidenced by Round Year Fun’s multiple usernames, apparently all that’s required to evade Twitter account suspension are underscores.

Twitter doesn’t allow sending “roundyearfun[.]org” via DM, hence they’re clearly aware of the issue:

Image for post
Image for post

For some reason, however, Twitter can’t seem to rid their platform of inauthentic accounts spreading very nasty spyware — continuing to expose their users to data privacy risk.

Geoff Golberg is an NYC-based researcher (and entrepreneur) who is fascinated by graph visualization/network analysis — more specifically, when applied to social networks and blockchain activity. His experience spans structured finance, ad tech, and digital marketing/customer acquisition, both at startups and public companies. Geoff spends (far too much of) his time developing techniques and building tools to identify social media manipulation (of various flavors!)

Written by

CEO & Founder, Social Forensics | Previously: Co-Founder, Elementus | Featured in BBC, CNN, BuzzFeed, and Quartz, among others | SocialForensics.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store