It was only four years ago that Ashton Kutcher and CNN Breaking News battled to become the first Twitterers to reach the 1 million followers landmark. Unsurprisingly the most followed person today is Justin Bieber with 40 million, and top brand is YouTube with 30 million. While these are huge numbers they are small fry when considering Twitter’s user base grew from 18 million in 2009 to 500 million in 2013.
Around the time of the Kutcher battle, there were the early embers for a wildfire in Twittersphere – namely Tweetattacks. This was the tinder sticks for the most rampant spam tool ever launched for a social network. It could do it all. The tool made social media marketing a breeze for a spammer.
TweetAttacks, alongside TweetAdder and other lesser bots on the black hat market, simulated the gestures of a real person: following, unfollowing, direct messaging, and @replying. They even had a built in scraping function to take content – say a list of jokes or other people’s old tweets (these were my particular favourites). After lifting a list of bite size quips or updates, I’d chunk them up into individual tweets then go to work spamming with everything on autopilot using TweetAttacks.
Oh and when I say it was possible to automate everything. I mean everything.
I’d follow you (and hundreds of others) on Monday and if you hadn’t followed back by Friday then I’d unfollow you. The aim was to get as many followbacks as possible, while unfollowing non-reciprocal parties. I keep this method churning out follows and unfollows in order to build up a “whale account” – an account with a huge list of followers.
It was important to build up huge lists of followers, not least so I could spam you with an @reply advert or DM link spam. Then because we are connected, Twitter is less likely to ban my account. A similar principle exists when Gmail chooses not send an email to the Junk folder on account that the sender is an existing contact.
Aside @replies of your tweets were now my ammo, scraped, and spun to create new unique tweets. I could take what you had written, repost it with an @reply to a new target, include a link to a website. When visited the website would stuff hundreds of affiliate cookies onto the unsuspecting visitors machine to gain a kickback to the owner of the affiliate ID associated with the cookie or the link may simply be to fool Google into counting the site as popular.
Picture it: accounts running on rotation using proxies churning out tweets, posting links, @replying to tweets using keywords as triggers for preloaded messages to send. The message then propped up the social media metrics of clients.
Around that time Facebook had revealed 4% of all posts was spam and Twitter said 1.5% of all tweets were spam in an article published by WSJ.
Litigious Lawyers Take Aim
From 2009 until April 5, 2012 were the halcyon days of Twitter spamming. Then it all came to a shuddering halt. Twitter got wise, and got tough – litigious in fact.
Supposedly, it all started with Twitter staffing five ‘spam-science’ programmers and nine account-abuse specialists, followed by buying online security firm Dasient to help combat the anti-spam/fraud issue.
However, in one lawsuit, Twitter effectively shuttered the biggest tools on the market via Cease & Desist (C&D) demands. They said: “With this suit, we’re going straight to the source. By shutting down tool providers, we will prevent other spammers from having these services at their disposal.”
On the same day as the five defendants were cited, one by one each fully complied. TweetAttacks, TweetAdder, TweetBuddy, James Lucero of justinlover.info and Garland Harris of troption.com acquiesced to the demand.
The lawsuit was aggressive. Without much ado it cut of the head.
The end of spam?
While Twitter has dampened the effectiveness of tweet spam, the follow economy is still alive and well. In April 2013, Andrea Stroppa and Carlo De Micheli, two Italian security researchers calculated that the fake followers economy was worth between $40m and $360m.
Today I was offered 1 million followers priced at $900: “I am a straight forward and honest seller, though a possibility of a ban always exists,” promised my contact. “I have done over 1 million followers on accounts, they can fail with 1k fake, or with 1 million. Follower drop off and bans will be replaced with new accounts.” He went on: “My guarantee is 90 days.” And to his credit, he has good reviews at the major Black Hat Sites such as Black Hat World and others like Warrior Forum.
The cost of followers has dropped through the floor. New spam tools have hit the market. Yet I am cautious. Twitterland has changed.
Twitter not only employees skilled, experienced anti-spam engineers but they are also extremely astute.
These engineers have tightened the buffers. You can no longer sign up hundreds of accounts using the same IP address or send 100+ tweets or reply to over fifty people in a day without hitting their buffer.
Even with the new TweetAttacksPro tool, which claims to do everything and more of what the shuttered TweetAttacks could do, Twitter as a channel is much less effective.
Despite the inexpensive ($149) price tag for the tool, I would not touch it.
The costs of renting proxies soon stack up, and purchasing email addresses for the accounts coupled with the added risks of a Twitter ban make it less inviting.
So matching Kutcher with 1 million followers is no longer the challenge – that mirror is easily created. It’s how to get the social metrics to tally and match rate-metrics for all the reply, direct message or follow buffers set centrally by Twitter engineers. By design, Twitter has now served an added level of complexity just beyond most spammers.
In fact, it is hats off to Twitter, because for a spammer the fire really has gone out. That is, until the next chink in the platform is discovered.
Rhoda Crocket
Rhoda Crocket is Netopia’s undercover hacking and spamming expert. The name is fake (like with any spammer), but Netopia knows her real identity.
