Inside a Twitter ‘Pornbot’ Campaign

Flashpoint analysts recently investigated the trend of adult entertainment-themed Twitter bots known as pornbots, which post tweets with hashtags containing popular brand names alongside random, unrelated terms. The observed set of pornbots appears to be a mix of compromised accounts and accounts specifically created to advertise pornography. As such, organizations mentioned in these bots’ pornographic advertising campaigns on Twitter may suffer reputational damage in addition to distorted social media engagement campaign metrics.

Image 1: Sample of tweets containing brand hashtags and random terms. Brand names have been sanitized

Image 1: Sample of tweets containing brand hashtags and random terms. Brand names have been sanitized.

In recent years, Twitter has become a primary form of external, two-way communication and engagement for organizations across all sectors. For example, companies often use hashtags to monitor the spread and reception of marketing campaigns and sponsored events. More crucially, emergency services may use hashtag tracking to gain real-time insight into current situations during natural disasters and other crises. In a worst-case scenario, pornbots or other spambots could identify a trending hashtag and distort the conversation by sharing unrelated or false information.

Image 2: Three sample pornbot Twitter accounts using the same profile picture. Each pornbot has a different username, bio, and join date, and each bio contains a link to a different adult entertainment website. However, these adult entertainment websites were hosted on common servers.

Image 2: Three sample pornbot Twitter accounts using the same profile picture. Each pornbot has a different username, bio, and join date, and each bio contains a link to a different adult entertainment website. However, these adult entertainment websites were hosted on common servers.

Flashpoint analysts identified three distinct sets of pornbots using identical hashtags, indicating they were likely part of the same organized campaign. While similar in appearance and often using a common set of profile pictures across the groups, each promoted a different adult website. However, the three adult websites linked to the sample profiles shown above were hosted on one of two common servers, which may indicate the pornbots share a common origin. Flashpoint analysts did not detect any malicious files on the servers hosting the websites advertised by the pornbots.

Advertising Methods

Flashpoint analysts observed two primary methods of advertising across the pornbot accounts:

• Hashtagged tweets: The first advertising method utilized hashtags followed by random risqué buzzwords and a link to an adult dating or video website, often featuring online “cam girls” or escort services.

• Link in bio and pinned tweet: The second advertising method includes multiple accounts sharing similar bios and pinned tweets, which contain links to adult content sites.

Image 3: Example of the first method of advertising adult entertainment sites, whereby links are included within hashtagged tweets.

Image 3: Example of the first method of advertising adult entertainment sites, whereby links are included within hashtagged tweets.

 Image 4: Example of a pornbot account using the second advertising method, whereby links to adult websites are included in the bio and the pinned tweet.

Image 4: Example of a pornbot account using the second advertising method, whereby links to adult websites are included in the bio and the pinned tweet.

Identifying Pornbots

Image 5: Sample guide to identifying pornbots and spambots.

Image 5: Sample guide to identifying pornbots and spambots.

Over the course of their investigation, Flashpoint analysts noted several common traits that can be used to identify pornbots and other spambots:

• Reused profile images: The profile pictures used by the observed pornbots were all obtained from public profiles on open-source websites, primarily Instagram and Pinterest. Reverse searches using Google Images indicated these stolen images were resused by multiple pornbots.

• Systematic coordination: Related sets of pornbots systematically coordinated their tweets. One pornbot would post a tweet containing a hashtag, and other pornbots within its group would subsequently post tweets containing the same hashtag, followed by random and unrelated terms. 

• Many tweets, but few followers: Each of the observed pornbots posted tweets at a rapid cadence, with some posting more than 50 times per day. Most of the observed pornbot accounts boasted more than 10,000 tweets, but typically had fewer than 200 followers. Similarly, most of the pornbots were following fewer than 200 other users. 

Image 6: Example of a reverse Google Images search revealing use of a single profile image across multiple pornbot accounts.

Image 6: Example of a reverse Google Images search revealing use of a single profile image across multiple pornbot accounts.

Image 7: Example of systemically coordinated tweeting among pornbots.

Image 7: Example of systemically coordinated tweeting among pornbots.

Pornbot Mitigation Best Practices

The following mitigation measures may help reduce the number of pornbots and spambots using brand names. These steps may also reduce the number of false detections and aid in validating social media metrics:

• Challenge social media teams to identify and block pornbots and spambots following company social media accounts. This action impacts the bots’ ability to capture and retweet relevant and branded tweets.

• Require social media teams to report these accounts through Twitter’s abuse function.

• Implement response actions to react to large campaigns, such as social media teams and cyber threat teams notifying each other when activity is detected.

The post Inside a Twitter ‘Pornbot’ Campaign appeared first on Flashpoint.

Go to Source
Author: Flashpoint

Europe’s Hacktivists Set Sights on Political Entities

The tumultuous state of global politics that has come to define 2017 continues to shape the motivations and schemes of a wide range of adversaries. In October, CNBC reported two Czech election websites were hacked and that, after Catalonia’s independence referendum was ruled illegal, the website for Spain’s Constitutional Court was taken down by a DDoS attack. These are just two of many examples that align with a trend Flashpoint analysts have observed in recent months: the proliferation of hacktivist activity targeting European government and political entities.

In early September, Flashpoint analysts observed multiple hacktivist-fueled DDoS attacks against several websites belonging to ministries and individual public officials in multiple European countries. Although these campaigns have been characterized by DDoS attacks dispersed across central Europe, some actors have tended to concentrate their activity on certain countries. For example, analysts have observed that one Turkish nationalist group appears to be focused on targeting the websites of Belgian and Austrian political entities. This group has also indicated its intent to retaliate against any perceived anti-Turkish or anti-Muslim sentiment emanating from European political entities. In one instance, the group posted screenshots of successful DDoS attacks against Danish government institutions. They claim to have carried out the attacks due to perceived insults by Danish politicians against Islam.

While hacktivist groups are often considered less skilled than their cybercriminal and state-sponsored counterparts, the risks and resulting damages they can inflict are by no means novel. Typically motivated by fundamental and political differences of opinion, hacktivist campaigns have been known to disrupt, deface, or otherwise take down targeted websites, web-based services, networks, and infrastructure. Unfortunately, these types of damages became a reality for many following the recent hacktivist-fueled DDoS attacks that correlated with major 2017 elections in the United Kingdom, Germany, Russia, Czech Republic, and France. It appears that the polarizing effect of these elections continues to contribute to the heightened risks faced by various European political entities.

Flashpoint assesses with a moderate degree of confidence that hacktivist-fueled DDoS attacks against European political entities may continue in the coming months. While addressing hacktivist activity can be complex and challenging, organizations—not just in Europe, but worldwide—that integrate Business Risk Intelligence (BRI) into their security and risk strategies can and do mitigate these types of risks more effectively. By providing proactive visibility into rising geopolitical tensions, emerging hacktivist threats, and upcoming schemes, BRI enables organizations across all sectors to gain a decision advantage over a broad spectrum of hacktivists and other adversaries.

Want to learn more about the hacktivist DDoS landscape in Europe? Watch our Flash Talk on Turkish Hacktivism here.

The post Europe’s Hacktivists Set Sights on Political Entities appeared first on Flashpoint.

Go to Source
Author: Flashpoint