Case Studies

In this section, we describe some interesting findings about the compromised accounts detected by COMPA.

”Get more Followers” scams On Twitter, the majority of the accounts that COMPA

flagged as compromised were part of multiple large-scale phishing scams that advertise ”more Followers”. These campaigns typically rely on a phishing website and a Twitter application. The phishing website promises more followers to a user. The victim can either get a small number of followers for free, or she can pay for a larger set of fol- lowers. Many users consider the number of their followers as a status symbol on the Twitter network, and the ”base version” of the service is free. This combination seems to be an irresistible offer for many. The phishing sites requires the user to share their username and password with the website. Additionally, the user needs to give read and write access to the attacker’s application. Once the victim entered her credentials and

authorized the application, the application immediately posts a tweet to the victim’s account to advertise itself. Subsequently, the attackers make good on their promise and use their pool of existing, compromised accounts to follow the victim’s account. Of course, the victim also becomes part of the pool and will start following other users herself.

COMPA identified four different web sites that were part of the same phishing cam- paign.2 _{Although the web sites look different, they all use the same application to post}

tweets to their victim’s accounts. This behavior became evident when we combined the results of thetext similarityandlanding pageoracles. More precisely, thelanding page

oracle identified four distinct campaigns, whereas the text similarityoracle detected a single campaign.

Among the others, COMPA successfully identified four different phishing campaigns. Although these campaigns were sending messages pointing to different URLs, the structure of the messages and the application used was the same. This means that the same group of people is running these campaigns and the infrastructure behind them. Moreover, this gives an idea of how sophisticated the underground economy behind Twitter has become.

Victim analysis. We also analyzed the victims of one of the ”Get more followers” scams previously described. The goal of this analysis was to understand more about the victims who fall for such scams. Over the analysis period, COMPA detected 84,650 accounts that were compromised by this campaign. All together, these accounts had

2_{http://plusfollower.info, http://followback.info, http://hitfollow.}

4,249,788 friends. We started to look for profiles that were followed by a large number of victims. The idea behind this is that this type of scams is likely to produce dense clusters of users connected to each other, since the advertised goal of the campaign is to give more followers to the accounts that subscribe to the service. The easiest way of doing this is to make the accounts attackers obtained credentials to follow each other. Overall, 51,584 profiles were followed by at least 500 victims of the scam. However, the majority of these accounts belonged to celebrities, which are followed by hundreds of thousands of twitter accounts. To discriminate between celebrities and other pro- files, we used the Klout API [81]. Klout is a service that measures how influential a Twitter account is. By leveraging their API, we identified which accounts belonged to celebrities, and which to users that were not influential but still had an anomalous number of scam victims following them. In particular, we considered any profile with a Klout score above 50 to be an influential profile. We found 204 accounts had both a low Klout score and a high number of victims following them. We crawled the timelines of these accounts to assess whether they were also compromised. 22 of them sent tweets belonging to the scam, and therefore we consider them as compromised. Interestingly, 182 profiles did not show a behavior typical of compromised profiles. However, due to their low influence scores, we think it is unlikely that they got followed by such a large number of users who also happened to be compromised by the same scam. This fact suggests that not only the victims of the scam will be followed by other compro- mised accounts, but also that such victims will massively follow other accounts that are not popular on Twitter. This might mean that this particular scam is related to a ser- vices that offers followers in exchange for money. In fact, we observed such campaigns that would, for example advertise 3,000 followers for $65. The scammers make good

on their offer by following their customers with accounts for which they previously phished the credentials.

In exchange for the user’s money the scammers follow their customers with a number of profiles for which they previously phished the credentials. A more detailed analysis of this type of scams has been presented in our follow-up papers [127, 132].

Phone numbers COMPA also detected scam campaigns that do not contain URLs.

Instead, potential victims are encouraged to call a phone number. Such messages would read, for example, ”Obama is giving FREE Gas Cards Worth $250! Call now-> 1 888-858-5783 (US Only)@@@.” In our evaluation, 0.3% of the generated groups did not include URLs. Existing techniques, such as [137], which solely focus on URLs and their reputation, would fail to detect such campaigns.

Malicious Firefox plugin Furthermore, COMPA detected a campaign to distribute

a malicious Firefox plugin under the false premise that the plugin enables the non- existingdislike button on Facebook. However, once installed the plugin would annoy the user with additional advertisements.