New Research: Studying Twitter Spam’s Use in Political Censorship

Wednesday, May 9, 2012

Spammers who posted almost half a million Twitter messages in order to silence debate over Russia’s election in December likely purchased fraudulent accounts in bulk and posted the tweets from botnets, groups of malware-infected computers under the command of a single person. According to Networking Group researchers, the campaign took advantage of an underground economy based on spam, a phenomenon that researchers are studying in an attempt to improve methods of eliminating spam.

Within forty-eight hours of Russia’s parliamentary election on December 4, thousands of people rallied to protest the voting fraud they claimed Russia’s ruling party had committed; tens of thousands more protested through social media. Between December 5 and 6, Twitter users posted more than 800,000 messages containing hashtags – words or phrases added to tweets and aggregated in search results – related to the elections. Of those, nearly half were posted to accounts later identified by Twitter as fraudulent. The messages, many of which were garbled nonsense, diluted the legitimate tweets returned by searches for hashtags.

tweets per minute during attack

In April, Kurt Thomas of UC Berkeley and Chris Grier and Vern Paxson of ICSI’s Networking Group presented an in-depth analysis of the spam campaign at the USENIX Workshop on Large-Scale Exploits and Emergent Threats. They found that 99.5 percent of the suspended accounts that had posted tweets about the election were registered under mail.ru email addresses and followed certain naming patterns. Applying these patterns to all Twitter accounts under mail.ru addresses, the researchers found nearly a million accounts likely to be fraudulent, only 20 percent of which Twitter has suspended. The large number of spam accounts suggests that they were purchased from an online marketplace that registers and sells accounts in bulk.

In addition, the researchers also found that the IP addresses used to post spam about the election were far more dispersed around the globe than those used to post to legitimate messages, which tended to originate in Russia. The spam IP addresses were also more likely to appear on the Composite Blocking List, which comprises IP addresses flagged for sending spam and malware. These findings suggest that spammers sent their tweets from machines infected by malware and used to send spam email.

geolocation of user logins

The infected machines form part of what researchers describe as an underground economy, in which, among other things, infected machines send spam email in order to sell illicit goods and infect other machines. Research into this economy may lead to improved ways to fight spam, as when Networking Group researchers and colleagues at UC San Diego identified three banks that authorize 95 percent of credit card sales of goods advertised by spam. Spam-based profits could be significantly reduced if credit card-issuing banks refused to settle transactions authorized by these banks. Read the paper on the ICSI publications database.

The findings about the Russian election suggest that the monetization of spam can lead to a chilling effect on political conversation as well.

The good news? Twitter’s default search returns messages ranked by, among other measures, their “relevance.” While spam tweets may have drowned out legitimate political debate in real-time searches – which return messages in reverse chronological order – relevance searches returned 53 percent fewer spam tweets than real-time searches.

Related Paper: Adapting Social Spam Infrastructure for Political Censorship.” Kurt Thomas, Chris Grier, and Vern Paxson. Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), San Jose, California, April 2012.