UPDATE: The day after we published this story Twitter suspended all accounts using the ref.gl and twi.gl link shorteners, along with those using ten additional link shorteners that we had just discovered. The accounts using these new link shorteners were tweeting as actively as our original ref.gl account, although we noticed occasional repetition, as in this archived search for the hashtag #2262Aryan.
With the addition of these accounts, we estimate that our botnet included over a thousand accounts and had tweeted up to 50 million times before it was suspended.
We were just beginning to explore and report on these new link accounts when Twitter suspended all related accounts.
The ten newly discovered link shorteners associated with this bot account are all registered anonymously through GoDaddy and are hosted by Microsoft. Here is the list of those we discovered before the botnet was suspended:
Many thanks to all who reported these bots to Twitter.
Several days ago, our collaborator @rosesansthorns saw anomalies in a Twitter account and shared them with the team. Here is a screenshot of that very active account.
Our investigation led us to the discovery of hundreds of related and similarly automated Twitter accounts. In other words, a botnet. One with tentacles deep into Twitter’s users. One so massive that we gave it a name. The Reffy Botnet. Named for the link shortening url that appears in almost every tweet it produces. A list of Reffy Botnet accounts, in alphabetical order, that we’ve found to-date appears at the end of this report.
The Reffy Botnet is distinguished by this combination of features:
1. Nearly exclusive use of one of two very unusual, custom link shorteners: ref.gl or twi.gl. Around 90% of the botnet’s tweets use the ref.gl link shortener.
2. No retweets and few, if any, replies.
3. Use of a tweeting app called “Mobile Web” (M2).
4. Tweets at regular intervals of 5 to 10 minutes, around the clock.
The Reffy Botnet accounts can be found by searching Twitter for either of the two link shortener urls:
Only one account appears to use the twi.gl link shortener, but that account has a fairly high number of followers: @WhistleBlogs.
The botnet using the ref.gl link shortener includes at least 217 accounts, listed below. This botnet is extremely prolific, tweeting an estimated 40 to 50 times per minute, around the clock. Each tweet seems to be unique — a search of Twitter for the text in the tweet never shows an identical tweet from a different account. Additionally, each account stays “in character.” For instance, each tweet from @blackalive_ links to an article about a Black Lives Matter issue.
The bots in this botnet tweet around the clock, without pause. This “square” distribution of tweets per hour is a strong indicator of a botnet, especially when all the accounts appear to be based in the same country, as ours do.
￼This bot army produces approximately 40 tweets and related links per minute. That equals nearly 58,000 tweets per day.
Most of these accounts have tweeted over 60,000 times since they were launched. The sum total of tweets is well over 12 million, and counting.
Is some group of people feeding this bot army this vast amount of information? Or has someone written a sophisticated scraper that wanders the web looking for relevant headlines and delivers the results back to this botnet?
Either way, the amount of effort fueling this botnet is far from trivial.
These accounts have another interesting feature. If you click on one of them, the “who to follow” suggestions will link to other Reffy Botnet accounts. Very often these suggested accounts focus on completely unrelated topics. How is it that Twitter knows these accounts are related to each other, but can’t figure out that it’s all one big automated botnet?
The Reffy Botnet accounts are particularly interesting because they have accumulated a large number of followers, many of whom are considered #Resistance leaders. The bots apparently accumulate followers by following medium to large accounts that tend to “follow back.” The fact that familiar accounts follow the bot accounts may provide social validation that attracts similar followers.
The interests of the Reffy Botnet accounts vary widely — law enforcement, sports, drug rehab, political issues and more. Posted links tend to be outdated, obscure news articles and/or blog posts; some lead to blank pages. The diversity of ownership of these link targets makes it unlikely that this botnet serves as part of a classic click-bait scheme.
The Reffy Botnet’s account names are in keeping with their apparent interests, and their descriptions are well-written in colloquial and grammatically clean American English. The articles and headlines they link to are very much in keeping with the descriptions of the accounts. A great deal of work went into giving these bot accounts the appearance of human users.
A detailed analysis of the accounts we have discovered in this botnet is here.
In short, the Reffy Botnet’s ultimate purpose remains unknown.
But here’s what we do know thus far:
Using the service VirusTotal to examine the two link shortener URLs revealed that malware detection software provided by the information security company Trustwave detected malicious code being served by both domains between January 6th and January 8th, 2018.
Virus total for ref.gl
Virus total for twi.gl
We had a look at the code that actually performs the redirect by downloading the code from the url in one of these tweets:
This is what we found:
This code indicates that each time the link shortener url is clicked on, a record of that click is being saved to the Google Analytics account associated with the urls. This means that detailed information about each visit, including the visitor’s IP address, can be recorded.
At the same time, whoever is controlling these bot accounts can use the Twitter API to harvest data about any Twitter user who “liked” or commented on each individual tweet.
This means that whoever has built this botnet has all the information needed to find the IP address of any Twitter user who “likes” or replies to one of these tweets and also clicks on the associated link.
We strongly recommend blocking and reporting any account that is using the ref.gl or twi.gl link shorteners.
Our team will continue researching the Reffy Botnet.
Unhack the Vote Investigative Team
Reffy Botnet accounts: