January 23, 2017 - Priya Rajan

Twitter Bots: These are the Droids You’re Looking For

At DataVisor, we've uncovered many massive sleeper cells, and recent MIT research is consistent with our findings, especially regarding incubation duration.

Wondering if your company has any crime rings hiding among your users? Most do, but many don’t realize how big a problem they have. Or, they think they have everything under control. Twitter recently discovered how costly overconfidence can be.

Research published in MIT Technology Review demonstrated how big this problem can be when they uncovered sleeper cells on Twitter. Juan Echeverria and Shi Zhou, from University College London, uncovered a Twitter botnet, asleep and undetected since 2013, that was made up of approximately 350k accounts.

They discovered the massive botnet while investigating automated accounts. Odd, but correlated, geographic distribution, as well as matching events and behaviors such as how many tweets they published, the phones they used and follower counts, were major red flags that something was going on. The researchers trained a machine-learning algorithm to recognize the Star Wars quotes being used by all the fake accounts and uncovered the massive 350k account pool.

Is this an isolated case? No, it’s actually just a small drop in a very large bot bucket.

At DataVisor, we’ve uncovered many massive sleeper cells in the wild, and this MIT research is consistent what we’ve found, especially when it comes to how long these sleeper cells incubate before they strike.

We analyzed more than 500 billion events and 300 million user accounts from global online services over the past two years to uncover sleeper cells. We found that they are not only prevalent, but also very patient. In fact, 24%-47% of the malicious accounts we uncovered incubated for more than 30 days after registration. That’s one whole month of looking and acting like a normal user, and avoiding all scrutiny accordingly.

We also found that 11% incubate for more than 100 days and one-third of all malicious accounts have yet to attack—even after our one-year observation period. These are huge groups of user accounts that you won’t know are malicious, even after one full year on your service, because they haven’t done anything wrong yet. They look like normal users and act like normal users, but the truth is, they are being primed to strike.

One crucial difference in our research is how we detected the sleeper cells in the first place—our method is very different than that of the MIT researchers. At DataVisor, we use unsupervised machine learning and don’t require rules—or, in this case, Star Wars quotes—to find correlated behavior and patterns. We are able to do that automatically by analyzing global user events and data in real time.

But while our methods are different, our research results are similar and important to note. All online services need to be aware of the sleeper cell issue and take proactive steps to address it before their bots “wake up.” The damages they can inflict—both financially, and in user trust—can be massive if you don’t detect them in time.

about Priya Rajan
Priya Rajan is CMO at DataVisor. She is a highly-regarded leader in the technology and payments sectors, bringing more than two decades of experience to her role. She has previously held leadership roles with high-growth technology organizations such as VISA and Cisco, and Silicon Valley unicorns like Nutanix and Adaptive Insights.
about Priya Rajan
Priya Rajan is CMO at DataVisor. She is a highly-regarded leader in the technology and payments sectors, bringing more than two decades of experience to her role. She has previously held leadership roles with high-growth technology organizations such as VISA and Cisco, and Silicon Valley unicorns like Nutanix and Adaptive Insights.