#BotSpot: A Botnet Is Born

We catch the moment that a probable botnet is created

Accounts followed by @Alexand25013733 as of January 9, 2018, when it was archived. This account was created on January 8, 2018. (Source: Twitter / @Alexand25013733)

On January 9, 2018, Julian Reichelt, the editor-in-chief of German newspaper BILD’s digital edition, noticed that his Twitter following increased sharply, and that many of his new followers looked eerily similar: accounts with no faces, no profile pictures, and eight-digit numbers after their names.

@DFRLab analyzed his new followers, and concluded that they most probably belonged to a botnet — a network of automated accounts — in the very moment of its creation.

The incident shows one of the tricks bot makers use to give their creations a more human appearance, by following journalists, politicians, and celebrities.

No faces, lots of numbers

As of January 9, Reichelt had 47,688 followers. Among the most recent, a disproportionate number had no profile image, and their names were followed by eight-digit numbers:

Snapshot of Reichelt’s profile page on January 9, 2018: note the cluster of faceless eight-digit accounts. Archived on January 9, 2018. (Source: Twitter / @jreichelt)

Faceless profiles are a regular occurrence on Twitter. They can indicate freshly-created accounts, or users who prefer not to have a profile picture. However, they can also indicate bots — automated accounts set up to amplify other people’s messages, often for political or commercial reasons.

The use of eight-digit numbers has also been associated with bot accounts. (For @DFRLab’s guide on twelve ways to spot bots, see here.)

All the same day

In Reichelt’s case, the faceless accounts had almost all been created within the previous 24 hours.

Profile pages for some of the accounts which followed Reichelt on January 8–9: note the precise creation time of each account in black, just under the username. All profiles archived on January 9, 2018. (Source for all accounts: Twitter)

Even for a user with over 47,000 followers, to gain so many which were not just new, but newborn, in the same day, is unlikely to be a coincidence. The similarity in these accounts’ appearance, names, creation time and behavior all mark them as a probable botnet.

Commercial content, or none

The accounts were too new to have tweeted much (if at all), meaning that there are insufficient data to identify their purpose. One of the few exceptions was @Ali61954592, which posted the identical pornographic German-language invitation seven times in succession.

Tweets posted by @Ali61954592 on January 9, 2018. Profile archived the same day. (Source: Twitter / @Ali61954592)

Another was @Leon25957162, which posted a series of adverts for online game Rules of Survival, most of them only with the hashtag.

Tweets posted by @Leon25957162. Archived on January 9, 2018. (Source: Twitter / @Leon25957162)

Posting the same message repeatedly, especially when it is only a hashtag, or accompanied by a long string of hashtags, is a classic indicator of a commercial bot, automated to amplify advertisement. Many bots have also been known to share pornography.

The great majority of Reichelt’s recent faceless followers, however, had not tweeted or liked posts at all. All the below accounts were created on January 8–9.

Profile page for @Ariane54677214, as of January 9, 2018, when it was archived. (Source: Twitter / @Ariane54677214)
Profile page for @Luca90352439, as of January 9, 2018, when it was archived. (Source: Twitter / @Luca90352439)
Profile page for @melii01294262 as of January 9, 2018, when it was archived. (Source: Twitter / @melii01294262)

Again, behavior like this in one, or even a few, accounts would be unexceptionable. The sheer number of such accounts in Reichelt’s most recent followers — dozens within a few hours, obvious to the naked eye— is one of the markers that this is a botnet, rather than an unrelated group of tongue-tied individuals.

Starry-eyed followers

Given the lack of posts from most of these accounts, the intention behind their creation cannot be established with certainty, although the behavior of @Ali61954592 and @Leon25957162 suggests that they are destined for commercial use — bots to be used as amplifiers of commercial messages (including pornography), and probably hired out.

However, it does not seem likely that Reichelt was a deliberate target, singled out for intimidation, as bots have been known to do in the past.

Looking at the accounts which these probable bots follow, the great majority are verified users (shown by the blue check mark), and belong to politicians, footballers, news outlets, models, actors, and other celebrities.

Accounts followed by @qun29708631; note the preponderance of blue check-marks, including Sylvester Stallone, Mark Hamill and the Berlin police. Account archived on January 9, 2018. (Source: Twitter)

Most accounts mixed following U.S. politicans and celebrities with German politicians, news, and sport outlets.

Accounts followed by @ridvan33097963; note, again, the preponderance of verified users, including Reichelt (top left) and German footballer Shkodran Mustafi (top right). Archived on January 9, 2018. (Source: Twitter)

Many of the apparent bot accounts followed the same users, albeit in a different order. Note in the screenshots below the presence of @izziofficial and @BVG_Kampagne, also present above, and of @_juliaschramm and @fraubauerfeind.

Accounts followed by @Luca93052439, as of January 9, 2018, when it was archived. (Source: Twitter)
Accounts followed by @Ariane54677214 as of January 9, 2018, when it was archived. (Source: Twitter)

This is yet another apparent “coincidence” which is too major to be coincidental. These accounts appear to draw on a common list of celebrities, stars, and journalists — including Reichelt.

The majority of the political accounts followed were German. Occasionally, however, some members of the network followed U.S. leaders, such as former President Barack Obama and current President Donald Trump.

Accounts followed by @W0ngn0tl0ng as of January 9, 2018, archived the same day. This account had tweeted once by January 9, a retweet of a commercial. (Source: Twitter / @W0ngn0tl0ng)
Accounts followed by @Alexand25013733 as of January 9, 2018, when it was archived. This account was created on January 8, 2018. (Source: Twitter / @Alexand25013733)

These were the exception, however. Most of the political accounts followed by this network were German.


There are too many similarities between these accounts to make it plausible that they were all created by individual users. All were created in the space of a few hours; all followed Reichelt; all were faceless; most had eight-digit numbers after the username; most did not post tweets. They all seemed to follow subsets of a common list of verified, celebrity, news, and sports accounts.

The overwhelming likelihood is that this is a botnet; the few posts which its accounts have made suggest that it is destined for commercial use.

Why, then, follow Reichelt and the other verified accounts? It is likely that this is a part of the botnet’s set-up routine. Bots are meant to work by masquerading as humans (see examples which @DFRLab has uncovered here, here, and here, and a primer on how bot makers decorate their bots here). One of the ways in which they can do so is to follow popular, verified accounts. A next step may then be to give the account a profile picture, background and biography, none of which had been done on this occasion by the end of January 9.

The following of Reichelt (and Trump, Obama, Mark Hamill and others) is likely to be a form of camouflage, giving the accounts a more human appearance and behavior pattern. It is unclear whether the next step will be to provide further decoration, such as profile pictures; many bot accounts do remain faceless and without further personality. What does appear likely is that we have been lucky enough to see a botnet in the moment of its creation, and thus gain a further insight into how this is done.

Ben Nimmo is Senior Fellow for Information Defense at the Atlantic Council’s Digital Forensic Research Lab (@DFRLab).

Follow along for more in-depth analysis from our #DigitalSherlocks.

#BotSpot: A Botnet Is Born was originally published in DFRLab on Medium, where people are continuing the conversation by highlighting and responding to this story.

Source link


Leave a Reply

Pin It on Pinterest

Share This

Share this post with your friends!