tmp


Share:
Facebooktwittergoogle_plusredditmail
 

I see I got your attention

Time to take down another one.

This one is interesting

Everyone please Retweet and Report.

Thanks to @GwendolynIRL for sending us some additional info

A few days ago we noticed an interesting response in the comments on a thread. A tattooed woman tweeted “points of blood and”. Points of blood and? (image: tara-charlson-tweet.png)

We had a closer look at Tara Charlson. We noticed a few interesting things about this account.
1. Her account description makes about as much sense as her tweets
2. Although the account has been active since 2014, she only has 18 followers.
3. She prefers the “barely there” look when it comes to clothing.
4. Her Twitter handle – @luisman81849303 – ends in eight digits and has no resemblance to user name.
5. The link in her description is unusual looking. Twichick.info? Never heard of that.

Going back further in her timeline we notice something interesting. In 2014 she was tweeting in Portuguese. Then for over four years there were no tweets, until very recently. This is a hallmark of a repurposed account – possibly one that has been hacked and sold on the blackmarket. These accounts can look well-established because they apparently joined Twitter years ago. Since both the account name and the twitter handle itself can be changed, it can be very difficult to track the origins of these accounts. (image: tara-charlson-history.png)

Here is a similar account. Compare the user name (Emma Oliver) to the twitter handle (@hongpiao). Note that the account was apparently created in 2012. Then scroll back in the tweets. Hmmmm…

What about the odd tweets? Where do those come from? Let’s look at one of the more distinctive tweets. “Devonshire.–Edwardturned hastily towards her,”

We did a Google search for that tweet and other similarly distinctive ones. Looks like Tara Charlson is quoting Jane Austen!

Then we did a Twitter search for the same sentence. Apparently Tara Charlson has some sisters with a similar love of English literature.

In just a few minutes we uncovered dozens of related accounts with very similar patterns. Here is a partial list:
@luisman81849303
@hongpiao
@KarinaRiehl1
@thahey1
@Jhoon_alan
@SwaggThiskid
@AzzaHoria
@Joseplenitude
@ChidoriMr
@erwanjheussaff
@CoolboyMahmud
@ljycts
@budakretax
@ChristinaTononi
@ashleycakes123
@EywaLeo
@bringhimhom

What is the purpose of this botnet? Let’s have a look at the urls used in these accounts profiles. For instance twichick.info. As always, it’s a bad idea to click on links in iffy Twitter profiles, so we investigated this domain using the online tool VirusTotal.

And what did we find? A Russian server. Looks like it’s hosting all the domains of Tara Charlson and her sister pornbots. https://www.virustotal.com/#/ip-address/217.107.219.172

This is why we NEVER click on a link in a suspicious Twitter account. The server is apparently hosting some kind of malware. https://www.virustotal.com/#/url/19d3bc8bce84659ecdfc922a8e6ac1bcc1e7ce842cba4f14b6d0f370b738150b/detection

Once again – without too much effort – we have stumbled on a botnet. This time it’s a dangerous one. In fact, Twitter is already aware that these domains are malicious. Try tweeting or DMing “twichick.info”. Twitter will not allow you to.

If it’s easy for us to spot this, why can’t Twitter? Why is Twitter allowing accounts with malicious links in their profiles to remain active? @twittersupport? @jack?

What should you do when you spot suspicious activity like this?

First, again, NEVER click on a link in a suspcious account’s timeline.
Second, it’s always a good idea to double-check your suspicions before reporting an account. One way to do that is by asking a question and seeing if you get a human sounding response.

Once you are sure the account is a bot, block and report. You can find the “report” option by going to the user’s profile clicking the three small dots to the right of the page. Since a bot is an automated account trying to pretend it’s a human, the correct selection for reporting is that the account is “pretending to be me or someone else”.

These bots are being created as we speak. We will try to stay up to date on our website.

We are no longer recommending Blocking these Bots as Twitter has been negligent and we may need you to report again.

Lets get this one suspended. We have much more to publish.

Thank you for all of your help.

–Mike


Follow us:
Facebooktwitter