Twitter users targeted by an army of 86,262 sex-starved bots

Last week, an army of sex-crazed robots invaded Twitter, looking to be #fondled, for somebody to take their #virgin, and asking a young man if he wants a vulgar. And perhaps they can be forgiven for the broken English, as the more than 8.6m tweets, spurted from more than 86,262 accounts, were apparently coming from eastern Europe.

That’s according to ZeroFOX, the security firm that ratted out the chirpy bots to security teams at Twitter and Google. The teams promptly took down the accounts and the links they were sending, which led to a network of spam porn websites.

In fact, it’s the same porn/dating websites network – linked to Deniro Marketing, which owns the domains the tweets were pimping – that a large porn spam campaign was linking to, as uncovered by security journalist Brian Krebs a month ago.

Deniro Marketing is based in California. It hasn’t responded to requests for comment from news outlets, including from Krebs and Gizmodo.

In 2010, the company was part of a class action lawsuit in which plaintiffs claimed to have been sold a raw deal, drawn to an online dating site via “spam, internet pop-up ads, or social networking scams”, induced to sign up for free, and then encouraged to upgrade to paid memberships.

Online dating services – or adultery, for that matter – are legal. Dragging people in via all those alleged scams is not.

At any rate, Deniro still hosts websites and runs affiliate marketing programs.

If it’s based in California, why the choppy English and cyrillic letters? ZeroFOX says that “a large chunk” of the Twitter accounts’ self-declared user languages were Russian.

Zack Allen, manager of threat operations at ZeroFOX, told Krebs that the humans behind the bots probably aren’t part of Deniro Marketing. Rather, they’re likely affiliates.

Krebs gave an example of a dating affiliate program, the NSFW site datinggold[dot]com. It invites marketers to make big bucks by bringing in signups for its array of online “dating” sites that promote cheating, hookups and affairs: “AdsforSex”, “Affair Hookups” and “LocalCheaters”, to name a few.

Datinggold is, in fact, behind two of the five domains that the sex bots’ Twitter links eventually resolve to, after a series of redirects meant to obscure the links’ destinations from Twitter detection.

ZeroFOX has dubbed this entourage of sexbot sadsackery Siren, as in, the half-chicken, half-buxom-babes from Greek mythology whose dulcet tones lured horny sailors into jagged rocks.

The 86,262 accounts all had profile pictures of young women whose tweets included sexually suggestive invitations to join them for a sex chat. The vast majority – 98.2% – followed this pattern:

  1. Sexy phrase (see ZeroFOX’s First Phrase image below).
  2. Exclamation point!
  3. Social engineering phrase luring recipients to click a link (see Second Phrase image below).
  4. A shortened goo.gl URL.

About 30m Twitter users fell for it. That number can be gleaned from the trackable, Google-shortened URLs that the bots were using. Some portion of victims undoubtedly forked over their payment card information, as well. If they did, they fell for what the FBI dubs a romance scam, though these Twitter honeys aren’t trying to lure you into a romance.

We’ve given out plenty of tips for how to avoid forking over money to internet cutie pies.

The same tips apply here, though what the bots are peddling isn’t meant to tug on your heartstrings, per se. They’re going after another part of your anatomy.

Note that the links in the Siren tweets didn’t contain malware. Nor did they appear to be phishing attempts. That’s the good news: with more than 30m clickthroughs, that could have been one nasty malware tsunami.

All that’s wrong with those sexy babes is that they were liars.

As in, not babes, and most decidedly not even human.