Clearly, the differences are quite big between the duplicated fake accounts and their corresponding real accounts. Most of these statistics look very reasonable (dozens of tweets, followers and followings), except for the last one. Real users may tweet at any time and most likely have no obvious trends; hence, the timestamps at minute level are most likely unique, as shown in our result: 96% are unique. Additionally, the Tweet source is diverse: 24% from iPhone, 24% from Web, etc. However, we found that these fake accounts generally tweet several times in a brief period of a day, and then disappeared for a few days, and come back again. Sometimes, these tweets were created so fast, e.g., 5 different tweets with 60+ characters in 1 minute, that they cannot be typed by a normal user, but only by machines. This characteristic leads us to estimate that the percentage of unique tweet timestamps should be lower: only 35% after our computation and 98% of them are coming from Web.
From here, we can easily deduce how Dealers (or hackers) control thousands fake accounts:
- Each account first is pushed in a processing queue
- A thread worker then will pop the front account out and log in to Twitter, create several tweets and login out
- Then, this account will be pushed in the back of the queue again, waiting for its next round.
Overall, we clearly can observe a new trend on the Twitter follower trading business: Dealers are getting smarter to make these fake accounts look more authentic.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.