A single spammy reply to our @nbc_vc had me jump down the rabbit hole of a bot network promoting a dubious shop selling surgical masks.

Here’s an #OSINT thread on the anatomy of this network

1/12
It’s not uncommon to find odd Tweets but in this case it seemed that a coordinated campaign was happening.

One way to check this is by taking a unique part of the Tweet and searching for it under ‘Latest’. Note the timestamps!
Now that I knew something fishy was happening, I started the data collection capturing all mentions of 'medical mask'.

While the data was being collected, I checked out the twitter account. Surprisingly, I found another one. Only difference was an extra ‘s’ in the handle
Important to note: the website on the twitter accounts may seem legit to some users as it mentions Amazon.

BUT be aware! When clicking on it, users are redirected to a different site -> BIG 🚩
Interestingly, I found another website with the same logo & an interesting note about fraud.

When comparing both websites, it became clear that one is the original & the other is dubious. I found 2 additional sites which I’m still investigating.
Interestingly, I found another website with the same logo & an interesting note about fraud. When comparing both websites, it became clear that one is the original & the other is dubious. I found 2 additional sites which I’m still investigating.
Interestingly, I found another website with the same logo & an interesting note about fraud. When comparing both websites, it became clear that one is the original & the other is dubious. I found 2 additional sites which I’m still investigating.
Using DMI-TCAT & @GEPHI, I analysed 51k Tweets & over 2k users.

What u see here is a social graph by mentions (directed). If 1 user mentions another, a link is created. The more mentions the stronger the link. Red dot is shop_mask_usa - the most mentioned acc
Now let’s look at users who mentioned shop_mask_usa the most (grey nodes).

These grey nodes are the actual bot network (sample) - accounts that replied to other users whilst mentioning shop_mask_usa
Now let’s look at users who mentioned shop_mask_usa the most (grey nodes). These grey nodes are the actual bot network (sample) - accounts that replied to other users whilst mentioning shop_mask_usa
Now let’s look at users who mentioned shop_mask_usa the most (grey nodes). These grey nodes are the actual bot network (sample) - accounts that replied to other users whilst mentioning shop_mask_usa
Taking a closer look at some of these accounts revealed a pattern. Accounts were old; same content shared; fake names & stock images.

It’s pretty clear that these accounts aren’t authentic.
Taking a closer look at some of these accounts revealed a pattern. Accounts were old; same content shared; fake names & stock images. It’s pretty clear that these accounts aren’t authentic.
Taking a closer look at some of these accounts revealed a pattern. Accounts were old; same content shared; fake names & stock images. It’s pretty clear that these accounts aren’t authentic.
Taking a closer look at some of these accounts revealed a pattern. Accounts were old; same content shared; fake names & stock images. It’s pretty clear that these accounts aren’t authentic.
Taking a closer look at some of these accounts revealed a pattern. Accounts were old; same content shared; fake names & stock images. It’s pretty clear that these accounts aren’t authentic.
Now let’s look at the most mentioned accs in the network. Of course, shop_mask_usa is mentioned the most but what about the other accounts around it?

These are legitimate accounts who ended up here cuz the bot network replied to 1 of their Tweets by mentioning shop_mask_usa
Now let’s look at the most mentioned accs in the network. Of course, shop_mask_usa is mentioned the most but what about the other accounts around it?These are legitimate accounts who ended up here cuz the bot network replied to 1 of their Tweets by mentioning shop_mask_usa
Now let’s look at the most mentioned accs in the network. Of course, shop_mask_usa is mentioned the most but what about the other accounts around it?These are legitimate accounts who ended up here cuz the bot network replied to 1 of their Tweets by mentioning shop_mask_usa
So how does this bot network operate?

These non-authentic accounts reply to Tweets that have lots of ‘traffic’.

Popular tweets attract many users, so the hope is by replying with these spam tweets en masse, users will click on it & be tempted to buy masks
Fortunately, all of these accounts have been taken down by @twitter.

This case study shows the importance of reporting spam on Twitter. Especially during a global pandemic, users should be vigilant and report such spam to prevent others from ending up on dubious sites.
Fortunately, all of these accounts have been taken down by @twitter. This case study shows the importance of reporting spam on Twitter. Especially during a global pandemic, users should be vigilant and report such spam to prevent others from ending up on dubious sites.
Fortunately, all of these accounts have been taken down by @twitter. This case study shows the importance of reporting spam on Twitter. Especially during a global pandemic, users should be vigilant and report such spam to prevent others from ending up on dubious sites.
Fortunately, all of these accounts have been taken down by @twitter. This case study shows the importance of reporting spam on Twitter. Especially during a global pandemic, users should be vigilant and report such spam to prevent others from ending up on dubious sites.
Fortunately, all of these accounts have been taken down by @twitter. This case study shows the importance of reporting spam on Twitter. Especially during a global pandemic, users should be vigilant and report such spam to prevent others from ending up on dubious sites.
If you have any questions about the tools or methods I used, my DMs are open. Download Gephi: https://gephi.org/users/download/ 

More info about DMI-TCAT: https://github.com/digitalmethodsinitiative/dmi-tcat

Thread end.
digitalmethodsinitiative/dmi-tcat

Digital Methods Initiative - Twitter Capture and Analysis Toolset - digitalmethodsinitiative/dmi-tcat

https://gephi.org/users/download/
You can follow @LorandBodo.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more