14 DAY TRIAL // A one-man spam operation relied on three quarters of a million Twitter accounts to increase sales of a diet pill and earn referral-based commission.
The pill was promoted under the name of Green Coffee Bean Extract, and like any other revolutionary product, it promised amazing results in a very short amount of time.
Impersonating popular brands and celebrities
The money-making spam scheme used by the operator was a sophisticated one, employing tactics to evade detection, as well as to maintain the campaign active for a long period of time.
One of the methods used was to impersonate social media accounts of celebrities and popular brands, adding credibility through the use of graphic elements (logos, icons, avatars) associated with these entities.
The spammer took advantage of names such as CNN, E! Online, TMZ, ABC News, MTV News, Yahoo! News or Men’s Health.
Among the celebrity names employed there were Vicky Pattinson, Nicole “Snooki” Polizzi and Jenni “JWOWW” Farley. Tweets from these profiles would advertise “before” and “after” photos to ensure a higher click-rate.
This type of accounts were called “mockingbirds” by security researchers from Symantec, who discovered the campaign in July 2014.
Britney Spears, Renee Zellweger, Christina Aguilera, and Lady Gaga were used in photos claiming quick weight loss on account of the Green Coffee Bean Extract pill.
Eggs and Parrots retweet Mockingbirds' messages
Apart from these, the spam operator also employed two other types of Twitter profiles that would correspond to different categories of users.
“Parrots” would be the fake accounts that used stolen content and photos of real persons in order to display human regular activity, while “Egg” accounts had the behavior of new users, who had no followers and did not tweet.
The bird name selection is no coincidence, since mockingbirds and parrots are known for their impersonation skills.
“Each spam tweet from a Mockingbird account would receive nearly 1,000 retweets and 500 favorites,” a report from Symantec notes, adding that these were all generated through Parrot accounts.
The “Egg” accounts served to increase the followership of both Parrots and Mockingbirds, which would engage with each other to make the spam tweets appear genuine to other users.
Evading tactics, ensuring longevity
One tactic used by the spammer to ensure the longevity of the operation was to delete the spam tweets from Mockingbirds a short while (about four hours) after being published, but not before they were retweeted by Parrots.
Upon suspension of one of the two higher level profiles, the operator would simply raise a lower level one and rename it, as a specific naming convention was used for all of them.
According to Symantec, the spammer used more than 700,000 (94.5%) Egg profiles, about 40,000 (5.06%) Parrots and less than 100 Mockingbirds (0.01%), which would be a structure seen for legitimate users, based on their popularity.
It appears that the oldest account dated from September 2013, which is a very long time, considering that regular spam campaigns do not last more than a few weeks, if that.
Getting caught
Symantec’s report does not offer any information regarding the amount of money the scammer may have made from this operation, but it says that “the affiliate can expect to earn anywhere from $36 to $60 per converted lead,” and that payment came when credit card details were submitted for a free trial.
Catching the spammer was a matter of close monitoring the fraudulent Twitter accounts created and noticing the breadcrumbs to his identity left behind by posting personal messages and in the domain registration information. What’s more, the spammer even used a Parrot as his personal account.
Besides being suspicious of new followers and miracle diets, users can protect themselves from such spam campaigns by checking for the Twitter verification mark (the blue badge) on accounts of popular profiles before following their feed.