- Only 1147 Abusers were identified, with only 121 of them as fake accounts
- The average Abuser has 52,432 followers; 60% of Abusers have 4,000-26,000 followers
- Only 55% of Abusers have set URLs in their profiles
- Average account age of Abusers are 100 weeks, or 1-year and 11 months
- 16 Abusers have more than 1M followers, 88 Abusers have more than 100K followers.
- 99,494 unique fake accounts identified
- Average age of these fake accounts is 30 weeks or about 7 months; only 0.1% of Fake Accounts are less than 3-months old
- On average, a Fake Account is following 60 users, tweeting 77 times, and has 32 followers
- 63% (62,982 out of 99,494) of Fake Accounts are created by duplicating profiles from real users: adding one extra character on the screen name, and using the same displaying names, descriptions and locations. Some real accounts are duplicated multiple times.
Clearly, the differences are quite big between the duplicated fake accounts and their corresponding real accounts. Most of these statistics look very reasonable (dozens of tweets, followers and followings), except for the last one. Real users may tweet at any time and most likely have no obvious trends; hence, the timestamps at minute level are most likely unique, as shown in our result: 96% are unique. Additionally, the Tweet source is diverse: 24% from iPhone, 24% from Web, etc. However, we found that these fake accounts generally tweet several times in a brief period of a day, and then disappeared for a few days, and come back again. Sometimes, these tweets were created so fast, e.g., 5 different tweets with 60+ characters in 1 minute, that they cannot be typed by a normal user, but only by machines. This characteristic leads us to estimate that the percentage of unique tweet timestamps should be lower: only 35% after our computation and 98% of them are coming from Web.
From here, we can easily deduce how Dealers (or hackers) control thousands fake accounts:
- Each account first is pushed in a processing queue
- A thread worker then will pop the front account out and log in to Twitter, create several tweets and login out
- Then, this account will be pushed in the back of the queue again, waiting for its next round.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.