Full Cycle Analysis of a Large-scale Botnet Attack on Twitter

This work presents an in-depth forensic analysis of a large-scale spam attack launched by one of the largest Twitter botnets reported in academic literature. The Bursty botnet contains over 500,000; many of which have not been suspended. The bots have generated over 2.8 million spam tweets, with 2.2 million mentions directly targeting over 1.3 million distinct Twitter users. We reveal that the botnet used a network of URL shortening services and redirections to obfuscate the real landing pages. We show that users clicked on these URLs shortly after they were published and in large numbers. We even discovered the botmaster who was behind the whole operation, including creation of the Bursty botnet and registration of the several landing pages, which happen to be phishing websites. Furthermore, we found that this botmaster is still active selling Twitter bot related services. Our work reconstructs the complete course of the spam attacks, from planning to execution. This work provides in depth analysis and insight into the operation of cybercriminals on Twitter, and the cyberspace infrastructure and black-markets that they rely on. Finally, we address how the state-of-the-art bot classifiers are unable differentiate the Bursty bots from normal users, highlighting the need and importance of individual botnet analysis.