The spammer used accounts that impersonated news sites such as CNN, TMZ, or ABC, as well as MTV celebrities including Nicole "Snooki" Polizzi and Vicki Pattison, in a sophisticated operation to use affiliate programs to earn a commission, according to new researchpublished on Wednesday by Symantec.
As part of this campaign, the operator used three types of fake Twitter bot to spread its spam. One set of bots, the ones that impersonated news organizations and celebrities, tweeted out fake news about miracle weight loss, which led to fake news sites set up by the operator. Another set of bots retweeted and favorited those tweets, spreading them. And one last set of bots inflated follower counts to give legitimacy to the other bots.
To avoid getting the accounts suspended by Twitter, the operator programmed its bots to delete the tweets after a few hours. This tactic wasn't bullet-proof, as Twitter suspended some of the bots, according to the report. As a result, the operator had to replenish or repurpose its bots, and over time, he controlled "at least one million," according to Symantec's senior security response manager Satnam Narang.
This scam could have netted the operator, whom Symantec refused to name for legal reasons, hundreds of thousands of dollars, according to Andrea Stroppa, a security researcher who has studied fake accounts and spam campaigns on social media.
"With 750,000 accounts if he was a good spammer he could have made a lot of cash."
"This is a massive botnet," Stroppa told Motherboard. "With 750,000 accounts if he was a good spammer he must could made a lot of cash."
Narang told Motherboard that it's hard to estimate the spammer's earnings, but "considering his persistence and the length of the operation, this could have netted him tens of thousands of dollars."
That would be a good return for an operation that Stroppa estimated cost $20,000 to launch and $6,000 a month to run, including the cost of email accounts to verify the Twitter bots as well as the virtual private servers to host the bots and the cost of the proxies.
The scam didn't last forever though. Over the course of its research, Symantec alerted Twitter of the campaign. Around January of this year, almost all the botnet's accounts were shut down.
Apparently the operator wasn't as careful protecting his identity as he was creating bots. According to Symantec, he used his real name and address to create the websites that published fake news about the pill, and at a certain point he even converted a bot into his personal account. Symantec
Other than that, however, it seems like the spammer got away with making a lot of money.