Massive porn spam botnet got 30 million clicks on Twitter

In ancient Greece, sirens were mythological creatures whose singing lured sailors to their doom, as Odysseus’ mates discovered.

Fast-forward to 2017, and "SIREN" is nothing less than a ginormous, 90,000-account strong porn botnet that spammed social media users for months with 8,500,000 tweets.

Security researchers at ZeroFOX, who tracked the malicious, since-deleted accounts since February, called the botnet "one of the largest malicious campaigns ever recorded on a social network."

Just like their half-bird, half-women counterparts, the bots seduced online sailors with links advertising pornographic content. And they were incredibly successful in doing so.

As the botnet used trackable, Google-shortened URLs, it was possible to ascertain that SIREN netted more than 30,000,000 clicks from its victims.

Image: Zerofox screengrab

All the accounts used a very similar formula.

They all had a photo of an attractive woman as a profile pic and they all posted sexually suggestive albeit cripplingly ridiculous tweets.

"The tweets themselves generally contained canned, sexually-explicit text, often in broken English, compelling the target to click, such as ‘you want to meet with me?’ or ‘Push,don’t be shy’ [sic]" ZeroFox said.

Here are a few examples:

  • I posted another #naked photo

  • I want to #fondle me?

  • I want to take my #virgin?

  • Meow, I want to have sex

  • Want a vulgar, young man?

The bots would engage directly with the victims by quoting one of their tweets or "attracting targets to the payload visible on their profile bio or pinned tweet," researchers said.

In order to get around anti-spam services, the accounts would disguise the URLs through a laundering procedure. The URL would get shortened through Twitter (t.co), then the short link would get redirected to a goog.gl URL, in order to bypass both Twitter and Google’s anti-spam detection.

The links would redirect users to other adult websites which encourage them to sign up for subscription pornography, webcam, or fake dating websites. These websites are themselves scams.

ZeroFOX researchers reported that two out of five of the domains tweeted by SIREN are connected to Deniro Marketing, a company identified by Brian Krebs as being associated with a large email spam porn campaign.

The company believes the botnet was originated from Eastern Europe.

The Twitter profiles and posts were reported to Twitter security team who subsequently removed them.

Comments are closed.